four vulnerabilities affecting OpenVPN

 

 

 

CVE-2024-24974, CVE-2024-27903, CVE-2024-27459, and CVE-2024-1305 are four vulnerabilities affecting OpenVPN prior to version 2.6.10. A threat actor could exploit these vulnerabilities to launch arbitrary code with SYSTEM privileges in kernel mode on a target system running a vulnerable version of OpenVPN. Exploitation requires credentials for a user in the OpenVPN Administrators group, which a threat actor can possibly extract from insecure network authentication, such as NTLM. OpenVPN disclosed these four vulnerabilities on March 20, 2024, simultaneously with the release of OpenVPN 2.6.10. No proof-of-concept exploit has been released.

Detail : https://security.microsoft.com/threatanalytics3/0f45821b-936a-4731-837d-501fcd7097a4/overview?tid=8fb1c748-1a93-4acb-a71a-4c07d2f055c4

Vuln sẽ bị khai thác khi quản trị viên sử dụng insecure authen protocols (NTLM , ldap, v.v…)

Điều kiện thuật lợi : MITM (man in the middle) , bị phishing thành công và malware được thực thi

Kịch bản  khi quản trị viên bị lấy credential thông qua các insecure authen protocols

Threat actor sẽ thực thị các code in Kernel mode của endpoint đang dung openvpn 2.6.10

Recommand :

-          Upgrade new openvpn versions

-          use secure authentication

-          use endpoint protection (credential protection)

References :

Sophos Authentication

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/WebAuthentication/AuthenticationMethods/index.html

 Just for fund : không phải dính vuln là bị hack . thường đa số các vụ hack là đều dính vuln - vht