Search This Blog

Powered by Blogger.

Blog Archive

Labels

Severe Code Execution Flaws Impact OpenVPN-Based Applications

A total of five CVE identifiers were issued based on Claroty’s research.

 

Claroty security experts have issued the alert for several serious code execution vulnerabilities affecting OpenVPN-based virtual private network (VPN) solutions. 

HMS Industrial Networks, MB Connect Line, PerFact, and Siemens all have security flaws that allow intruders to get code execution by misleading prospective victims into accessing a maliciously designed web page, according to the firm. 

VPN solutions are intended to give users the ability to encrypt traffic flowing between their devices and a specified network, ensuring that potentially sensitive data is sent safely, and OpenVPN is the most widely used VPN implementation. 

Claroty revealed during its investigation of OpenVPN-based solutions that vendors typically deploy OpenVPN as a service with SYSTEM rights, posing security vulnerabilities because any remote or local app can manage an OpenVPN instance to begin or end a secure connection. A VPN client-server architecture typically includes a front end (a graphical user interface), a back end (which takes commands from the front end), and OpenVPN (a service controlled by the back end and responsible for the VPN connection). 

Because the front end controls the back end through a dedicated socket channel without any form of authentication, "anyone with access to the local TCP port the back end listens on could potentially load an OpenVPN config and force the back end to spawn a new OpenVPN instance with this configuration," Claroty explained. 

To exploit this issue, an attacker would simply mislead the user into visiting a malicious website with embedded JavaScript code that sends a blind POST request locally, injecting commands into the VPN client back end. This is a classic example of SSRF (Server-Side Request Forgery). 

According to Claroty's documentation, “Once the victim clicks the link, an HTTP POST request will be fired locally to the dedicated TCP port, and since HTTP is a cleartext based protocol which every line ends with \n, the back end server will read and ignore all the lines until reaching a meaningful command.” 

As the back end server would automatically read and execute all legal instructions it receives, it might be told to import a remote configuration file containing particular commands that lead to code execution or malicious payload installation. 

Claroty stated, “The attacker does not need to set up a dedicated OpenVPN server of their own because the up OpenVPN directive command is being executed before the connection to the OpenVPN server occurs.” 

However, connection to the attacker-controlled SMB server is required for remote code execution, which means the attacker must either be on the same domain as the target system or have the victim device enabled to allow SMB access to other servers, according to the researchers. 

Claroty's study resulted in the issuance of five CVE identifiers: CVE-2020-14498 (CVSS 9.6 – HMS Industrial Networks AB’s eCatcher), CVE-2021-27406 (CVSS 8.8 – PerFact’s OpenVPN-Client), CVE-2021-31338 (CVSS 7.8 – Siemens’ SINEMA RC Client), and CVE-2021-33526 and CVE-2021-33527 (CVSS 7.8 – MB connect line GmbH’s mbConnect Dialup).
Share it:

Bugs

Code Execution Flaw

Flaws

Open VPN

VPN

Vulnerabilities and Exploits