Re: [Openvpn-users] Blackhat 4 zero days ?

Fri, 03 May 2024 15:15:44 -0700 

Hi,

On Fri, May 03, 2024 at 04:25:29PM -0400, mike tancsa wrote:
> Is there any more information about this somewhere ?
> 
> https://www.blackhat.com/us-24/briefings/schedule/#ovpnx--zero-days-leading-to-rce-lpe-and-kce-via-byovd-affecting-millions-of-openvpn-endpoints-across-the-globe-38900

See "Changes.rst" :-)

Overview of changes in 2.6.10
=============================
Security fixes
--------------
- CVE-2024-27459: Windows: fix a possible stack overflow in the
  interactive service component which might lead to a local privilege
  escalation.
  Reported-by: Vladimir Tokarev <vtoka...@microsoft.com>

- CVE-2024-24974: Windows: disallow access to the interactive service
  pipe from remote computers.
  Reported-by: Vladimir Tokarev <vtoka...@microsoft.com>

- CVE-2024-27903: Windows: disallow loading of plugins from untrusted
  installation paths, which could be used to attack openvpn.exe via
  a malicious plugin.  Plugins can now only be loaded from the OpenVPN
  install directory, the Windows system directory, and possibly from
  a directory specified by HKLM\SOFTWARE\OpenVPN\plugin_dir.
  Reported-by: Vladimir Tokarev <vtoka...@microsoft.com>


Short summary: if you want to use plugins on Windows, do not put them
into directories writeable for other users - and this is now enforced
by OpenVPN itself.  The attack is somewhat obscure, and needs a chain
of "User A runs a plugin from a directory User B can write to, and
User B puts a malicious plugin there, exploiting a bug in the iservice".

On Windows, if you have other users on the system, just upgrade to 2.6.10
or 2.5.10.

On non-Windows, all the iservice bugs do not exist, and we didn't do
anything about plugin loading from "directories writeable for other 
people" because we think that this is not a realistic scenario.


And, just because it needs to be said, kudos to Vladimir Tokarev for
discovering these, and working closely with us to get the fixes designed,
tested, and released.  So I hope this makes a talk that is fun and 
enlightening!

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users






















					Reply via email to