Report Finds Increasing Number of Vulnerabilities in OpenVPN

OpenVPN, an open source virtual private network (VPN) system integrated into millions of routers, firmware, PCs, mobile devices and other smart devices, is leaving users open to a growing list of threats, according to a recent report from Microsoft.

The company released a security report detailing some of the latest holes in the open source service, and is warning that many of these vulnerabilities could be used in conjunction "to achieve an attack chain consisting of remote code execution (RCE) and local privilege escalation (LPE)." The report was compiled after Microsoft discussed a handful of new OpenVPN holes during a session at Black Hat USA 2024.

Microsoft initially reported these vulnerabilities to OpenVPN in March 2024 through Coordinated Vulnerability Disclosure (CVD) via the Microsoft Security Vulnerability Research (MSVR) team. Following this, Microsoft and OpenVPN worked together to patch the vulnerabilities, culminating in the release of OpenVPN 2.6.10.   

The discovered vulnerabilities include:

  • CVE-2024-27459: Affects the openvpnserv component, leading to potential denial of service (DoS) and local privilege escalation (LPE) in Windows.
  • CVE-2024-24974: Also within openvpnserv, this vulnerability allows unauthorized access to Windows.
  • CVE-2024-27903: This flaw can result in remote code execution (RCE) on Windows and LPE or data manipulation on Android, iOS, macOS and BSD.
  • CVE-2024-1305: Affects the Windows TAP driver, leading to a potential DoS on Windows.

"All the identified vulnerabilities can be exploited once an attacker gains access to a user's OpenVPN credentials, which could be accomplished using credential theft techniques, such as purchasing stolen credentials on the dark web, using info-stealing malware, or sniffing network traffic to capture NTLMv2 hashes and then using cracking tools like HashCat or John the Ripper to decode them," wrote the Microsoft Threat Intelligence team.

What's interesting is that the discovered vulnerabilities all can be found on the client side. Microsoft stressed that OpennVPN's server is secure, and discovered no holes on that side of the equation.

Microsoft reported these vulnerabilities to OpenVPN in March 2024 through Coordinated Vulnerability Disclosure (CVD) via the Microsoft Security Vulnerability Research (MSVR) team. Following this, Microsoft and OpenVPN worked together to patch the vulnerabilities, culminating in the release of OpenVPN 2.6.10.  However, Microsoft said that users are strongly urged to apply the latest security updates to mitigate potential risks as soon as available.

Microsoft advises organizations using OpenVPN to verify their versions and apply the necessary patches immediately. In addition, ensuring strong credential management and limiting access to VPN services can further mitigate potential risks.

For more information, visit the Microsoft blog post.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

  • pattern of icons for math and reading, including a pi symbol, calculator, and open book

    HMH Launches Personalized Path Solution

    Adaptive learning company HMH has introduced HMH Personalized Path, a K-8 ELA and math product that combines intervention curriculum, adaptive practice, and assessment for students of all achievement levels.

  • red brick school building with a large yellow "AI" sign above its main entrance

    New National Academy for AI Instruction to Provide Free AI Training for Educators

    In an effort to "transform how artificial intelligence is taught and integrated into classrooms across the United States," the American Federation of Teachers (AFT), in partnership with Microsoft, OpenAI, Anthropic, and the United Federation of Teachers, is launching the National Academy for AI Instruction, a $23 million initiative that will provide access to free AI training and curriculum for all AFT members, beginning with K-12 educators.

  • laptop on a desk with its screen displaying numerous colorful educational app icons

    Survey Finds Majority of Schools Using 10 to 15 Educational Apps

    A new report points to the fragmented digital landscape of educational apps in use at schools and districts across the country.

  • laptop displaying AI-powered educational content

    Kira Introduces AI-Generated Lesson Tool

    AI company Kira has announced a new AI-powered lesson generation tool that it says delivers complete, standards-aligned lessons that are personalized to each student.