{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2024-076.pdf"
    },
    "title": "Vulnerabilities in OpenVPN",
    "serial_number": "2024-076",
    "publish_date": "12-08-2024 13:31:53",
    "description": "On March 20, 2024, the OpenVPN community project team disclosed several vulnerabilities, CVE-2024-27459, CVE-2024-24974, CVE-2024-27903 and CVE-2024-1305 that could be chained to achieve remote code execution (RCE) and local privilege escalation (LPE).<br>\nOn August 8, 2024, Microsoft released a writeup for those vulnerabilities.<br>\n",
    "url_title": "2024-076",
    "content_markdown": "---\ntitle: 'Vulnerabilities in OpenVPN'\nnumber: '2024-076'\nversion: '1.0'\noriginal_date: 'March 20, 2024'\ndate: 'August 12, 2024'\n---\n\n_History:_\n\n* _12/08/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn March 20, 2024, the OpenVPN community project team disclosed several vulnerabilities, **CVE-2024-27459**, **CVE-2024-24974**, **CVE-2024-27903** and **CVE-2024-1305** that could be chained to achieve remote code execution (RCE) and local privilege escalation (LPE) [1].\n\nOn August 8, 2024, Microsoft released a writeup for those vulnerabilities [2].\n\n# Technical Details\n\n- CVE-2024-27459: Vulnerability in the communication mechanism between the `openvpn.exe` process and the `openvpnserv.exe` service.\n- CVE-2024-24974: Vulnerability involving unprivileged access to an operating system resource. The `openvpnserv.exe` service spawns a new `openvpn.exe` process based on user requests received through the `\\\\openvpn\\\\service` named pipe.\n- CVE-2024-27903: Vulnerability in OpenVPN's plugin mechanism that permits plugins to be loaded from various paths on an endpoint device.\n- CVE-2024-1305: Vulnerability in the \"tap-windows6\" project that involves developing the Terminal Access Point (TAP) adapter used by OpenVPN. In the project\u2019s src folder, the `device.c` file contains the code for the TAP device object and its initialisation.\n\nYou can find the complete technical explanation in the Microsoft report [2].\n\n# Affected Products\n\nAll versions of OpenVPN prior to version 2.6.10 (and 2.5.10).\n\n# Recommendations\n\nCERT-EU recommends OpenVPN users to apply the latest security updates as soon as possible [3].\n\n# References\n\n[1] <https://forums-new.openvpn.net/forum/announcements/69-release-openvpn-version-2-6-10>\n\n[2] <https://www.microsoft.com/en-us/security/blog/2024/08/08/chained-for-attack-openvpn-vulnerabilities-discovered-leading-to-rce-and-lpe/>\n\n[3] <https://openvpn.net/community-downloads/>",
    "content_html": "<p><em>History:</em></p><ul><li><em>12/08/2024 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On March 20, 2024, the OpenVPN community project team disclosed several vulnerabilities, <strong>CVE-2024-27459</strong>, <strong>CVE-2024-24974</strong>, <strong>CVE-2024-27903</strong> and <strong>CVE-2024-1305</strong> that could be chained to achieve remote code execution (RCE) and local privilege escalation (LPE) [1].</p><p>On August 8, 2024, Microsoft released a writeup for those vulnerabilities [2].</p><h2 id=\"technical-details\">Technical Details</h2><ul><li>CVE-2024-27459: Vulnerability in the communication mechanism between the <code>openvpn.exe</code> process and the <code>openvpnserv.exe</code> service.</li><li>CVE-2024-24974: Vulnerability involving unprivileged access to an operating system resource. The <code>openvpnserv.exe</code> service spawns a new <code>openvpn.exe</code> process based on user requests received through the <code>\\\\openvpn\\\\service</code> named pipe.</li><li>CVE-2024-27903: Vulnerability in OpenVPN's plugin mechanism that permits plugins to be loaded from various paths on an endpoint device.</li><li>CVE-2024-1305: Vulnerability in the \"tap-windows6\" project that involves developing the Terminal Access Point (TAP) adapter used by OpenVPN. In the project\u2019s src folder, the <code>device.c</code> file contains the code for the TAP device object and its initialisation.</li></ul><p>You can find the complete technical explanation in the Microsoft report [2].</p><h2 id=\"affected-products\">Affected Products</h2><p>All versions of OpenVPN prior to version 2.6.10 (and 2.5.10).</p><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU recommends OpenVPN users to apply the latest security updates as soon as possible [3].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://forums-new.openvpn.net/forum/announcements/69-release-openvpn-version-2-6-10\">https://forums-new.openvpn.net/forum/announcements/69-release-openvpn-version-2-6-10</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.microsoft.com/en-us/security/blog/2024/08/08/chained-for-attack-openvpn-vulnerabilities-discovered-leading-to-rce-and-lpe/\">https://www.microsoft.com/en-us/security/blog/2024/08/08/chained-for-attack-openvpn-vulnerabilities-discovered-leading-to-rce-and-lpe/</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://openvpn.net/community-downloads/\">https://openvpn.net/community-downloads/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}