OpenVPN-Based Applications Endangered by Serious Vulnerabilities

Claroty warned that products built on OpenVPN are at risk of serious arbitrary code execution vulnerabilities that can be exploited if a victim visits a malicious page. In particular, the bugs affected the solutions of such companies as HMS Industrial Networks, MB connect line, PerFact and Siemens.

Researchers have found that vendors typically deploy OpenVPN as a service with SYSTEM privileges, which poses security risks as any remote or local application can control OpenVPN to initiate or terminate secure connections.

Typically, a VPN client-server architecture includes a front end (a GUI application for the user), a back end (which accepts commands from the front end), and OpenVPN (a back end managed service that is responsible for VPN connections).

Since most of the time the dedicated socket channel through which the interface controls the backend uses the cleartext protocol without any authentication, “anyone with access to the local TCP port that the backend is listening on can potentially load the OpenVPN configuration, and force the server side to create a new instance of OpenVPN with this configuration,” the experts say.

Basically, the attacker only needs to trick the victim into visiting a malicious site with JavaScript designed to send a blind POST POST request locally (to transmit commands to the VPN client server side). The company says this is a classic example of an SSRF vulnerability.

As soon as the victim clicks on the link, the HTTP POST request will be launched locally on the dedicated TCP port. Since HTTP is a cleartext protocol, each line of which ends with \ n, the backend server will read and ignore all lines until it gets to the correct command.the command's report says.

Since the backend server will automatically parse and execute any valid commands it receives, it can be instructed to load a remote configuration file containing specific commands leading to code execution or payload installation.

Fortunately, in order to remotely execute the code, the hacker will need access to the SMB server under his control, that is, the attacker must be on the same domain network as the target system, or the victim’s computer must be allowed SMB access to external servers.

In total, after Claroty’s research, identifiers were assigned to five vulnerabilities: CVE-2020-14498 (9.6 points on the CVSS scale, eCatcher HMS Industrial Networks AB), CVE-2021-27406 (8.8 points on the CVSS scale, OpenVPN client PerFact), CVE-2021-31338 (7.8 points on the CVSS scale, Siemens SINEMA RC client), as well as CVE-2021-33526 and CVE-2021-33527 (7.8 points on the CVSS scale, MB connect line GmbH mbConnect Dialup).

Let me remind you that we also reported that Vulnerability allows attackers to listen and intercept VPN connections.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button