OpenVPN has patched multiple holes that attackers could squeeze through


Microsoft has discovered multiple vulnerabilities in OpenVPN, a widely used VPN implementation integrated into millions of routers, PCs, firmware, mobile devices, and other smart tech. When chained together, they could be exploited for remote code execution (RCE) and privilege escalation attacks.

Windows, Mac, iOS, or Android – OpenVPN is used on all major platforms by thousands of companies worldwide. This virtual private network (VPN) system creates private and secure point-to-point connections between millions of devices worldwide.

However, Microsoft has warned that all the protocol’s versions prior to 2.6.10 put endpoints and enterprises at significant risk of attack.

By exploiting the disclosed vulnerabilities, attackers could gain “full control over targeted endpoints, potentially resulting in data breaches, system compromise, and unauthorized access to sensitive information,” Microsoft Threat Intelligence warned in research demonstrated at Black Hat USA 2024.

This attack vector could be exploited by well-resourced threat groups because it necessitates user authentication, a deep understanding of OpenVPN’s inner workings, and intermediate knowledge of operating systems.

The vulnerabilities were discovered in the client-side architecture of OpenVPN. Four different vulnerabilities were disclosed in total.

They allowed attackers to cause a stack overflow, which could be used to execute arbitrary code with more privileges, interact with privileged OpenVPN interactive service, load an arbitrary plug-in, and overflow memory buffers, resulting in a bug check and potentially arbitrary code execution in kernel space.

“All the identified vulnerabilities can be exploited once an attacker gains access to a user’s OpenVPN credentials, which could be accomplished using credential theft techniques, such as purchasing stolen credentials on the dark web, using info-stealing malware, or sniffing network traffic,” the report reads.

A combination of vulnerabilities could lead to different exploitation results, including RCE and local privilege execution.

On March 21st, 2024, OpenVPN released security updates addressing the issue. Microsoft is urging OpenVPN users to apply the updates as soon as possible. Organizations should identify if any vulnerable versions of OpenVPN are installed on their systems and immediately apply the relevant patch.