Microsoft Unveils Critical OpenVPN Vulnerabilities at Black Hat USA 2024—Immediate Patching Urged

August 12, 2024
Microsoft Unveils Critical OpenVPN Vulnerabilities at Black Hat USA 2024—Immediate Patching Urged
Tech
Tech
Cybersecurity
Cybersecurity

  • Once attackers gain access to a user's OpenVPN credentials, they can exploit these vulnerabilities to execute sophisticated attacks.

  • During the recent Black Hat USA 2024 conference, Microsoft disclosed four medium-severity vulnerabilities in OpenVPN that pose significant security risks.

  • The identified vulnerabilities include CVE-2024-27459, which allows local privilege escalation for Windows users, CVE-2024-24974, enabling unauthorized access on Windows, CVE-2024-27903, which permits remote code execution and data manipulation across multiple platforms, and CVE-2024-1305, potentially leading to denial-of-service conditions on the Windows TAP driver.

  • These vulnerabilities could be exploited to achieve remote code execution (RCE) and local privilege escalation (LPE), impacting millions of OpenVPN endpoints worldwide.

  • All versions of OpenVPN prior to 2.6.10 and 2.5.10 are affected, necessitating user authentication and advanced knowledge of OpenVPN for successful exploitation.

  • Attackers may obtain user credentials through various methods, including purchasing them on the dark web or employing information stealers.

  • By combining different vulnerabilities, attackers can enhance their ability to manipulate systems and evade detection.

  • CVE-2024-27903 specifically allows for remote code execution on Windows and local privilege escalation or data manipulation on Android, iOS, macOS, and BSD platforms.

  • Once local privilege escalation is achieved, attackers can disable security features and manipulate critical processes, further entrenching their control over the system.

  • Exploiting these vulnerabilities could allow attackers to disable critical security processes, such as Microsoft Defender, and manipulate system functions to avoid detection.

  • The OpenVPN team has fixed these vulnerabilities after private coordination with Microsoft, although no details on live exploitation were disclosed during the conference.

  • Microsoft emphasized the importance of applying patches available in OpenVPN version 2.6.10 to mitigate these vulnerabilities.

Summary based on 3 sources

Get a daily email with more Tech stories

Sources

Microsoft Reveals Four OpenVPN Flaws Leading to Potential RCE and LPE

The Hacker News • Aug 9, 2024

Microsoft Reveals Four OpenVPN Flaws Leading to Potential RCE and LPE
Microsoft Warns of OpenVPN Vulnerabilities, Potential for Exploit Chains

SecurityWeek • Aug 12, 2024

Microsoft Warns of OpenVPN Vulnerabilities, Potential for Exploit Chains
Microsoft found OpenVPN bugs that can be chained to achieve RCE and LPE

Security Affairs • Aug 12, 2024

Microsoft found OpenVPN bugs that can be chained to achieve RCE and LPE

More Stories