Microsoft exposes vulnerabilities in OpenVPN -- millions of devices at risk
Microsoft researchers have revealed a series of medium-severity vulnerabilities within OpenVPN, an essential open-source VPN solution embedded in myriad routers, PCs, and smart devices worldwide. The vulnerabilities, if exploited, could allow attackers to execute remote code and escalate privileges, gaining unauthorized access to potentially millions of devices.
The research team demonstrated how these vulnerabilities could be chained together to form a potent attack sequence, culminating in attackers taking complete control over affected devices. This complex attack vector requires user authentication and a sophisticated understanding of OpenVPN’s architecture, highlighting the need for robust security measures.
OpenVPN is used across various platforms including Windows, iOS, macOS, Android, and BSD, serving as a critical security tool for thousands of enterprises globally. The vulnerabilities affect all versions of OpenVPN up to 2.6.9 and 2.5.9, posing a severe risk to unprotected endpoints and enterprise systems.
The vulnerabilities, reported through Microsoft's Coordinated Vulnerability Disclosure program in March 2024, have been addressed by OpenVPN in their latest releases (2.6.10 and 2.5.10). Users are urged to update their systems immediately to mitigate potential risks.
The disclosed vulnerabilities include:
- CVE-2024-27459: Could cause denial of service (DoS) and local privilege escalation (LPE) on Windows platforms.
- CVE-2024-24974: Allows unauthorized access on Windows.
- CVE-2024-27903: Enables remote code execution (RCE) and local privilege escalation (LPE) across Android, iOS, macOS, and BSD platforms.
- CVE-2024-1305: Leads to a denial of service (DoS) through the Windows TAP driver.
Microsoft provided detailed mitigation strategies and emphasizes the importance of applying the latest patches. The company also praised OpenVPN for the prompt response and collaboration in address these issues, reinforcing the significance of responsible vulnerability disclosure in maintaining global cybersecurity.