OpenVPN-Based Applications Endangered by Serious Vulnerabilities

Claroty warned that products built on OpenVPN are at risk of serious arbitrary code execution vulnerabilities that can be exploited if a victim visits a malicious page. In particular, the bugs affected the solutions of such companies as HMS Industrial Networks, MB connect line, PerFact and Siemens.

Typically, a VPN client-server architecture includes a front end (a GUI application for the user), a back end (which accepts commands from the front end), and OpenVPN (a back end managed service that is responsible for VPN connections).

Since most of the time the dedicated socket channel through which the interface controls the backend uses the cleartext protocol without any authentication, “anyone with access to the local TCP port that the backend is listening on can potentially load the OpenVPN configuration, and force the server side to create a new instance of OpenVPN with this configuration,” the experts say.

Basically, the attacker only needs to trick the victim into visiting a malicious site with JavaScript designed to send a blind POST POST request locally (to transmit commands to the VPN client server side). The company says this is a classic example of an SSRF vulnerability.

Since the backend server will automatically parse and execute any valid commands it receives, it can be instructed to load a remote configuration file containing specific commands leading to code execution or payload installation.

Fortunately, in order to remotely execute the code, the hacker will need access to the SMB server under his control, that is, the attacker must be on the same domain network as the target system, or the victim’s computer must be allowed SMB access to external servers.

Let me remind you that we also reported that Vulnerability allows attackers to listen and intercept VPN connections.