On Tue, Nov 23, 2021 at 11:13 AM Selva Nair <selva.n...@gmail.com> wrote:
> > > On Tue, Nov 23, 2021 at 8:51 AM Ralf Hildebrandt < > ralf.hildebra...@charite.de> wrote: > >> Yeah, it's in german, but anyway: >> >> https://www.heise.de/news/FBI-warnt-vor-Einbruechen-via-VPN-Software-6274101.html >> >> "An attacker can take leverage on this architecture and send the >> config command from any application running on the local host machine >> to force the back-end server into initializing a new open-VPN instance >> with arbitrary open-VPN configuration. This could result in the >> attacker achieving execution with privileges of a SYSTEM user." > > This description appears to relate to OpenVPN Interactive Service. If so, it's not correct. The service runs OpenVPN.exe as a user, not as SYSTEM. On top of it a user can send arbitrary configs to the service only if an administrator grants the user permission to do it --- via a group membership. The user cannot start arbitrary "openvpn.exe" processes using the service: the process must reside in a location where an admin user has installed it. Selva >
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
