OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, which allows an attacker to load an arbitrary plug-in which can be used to interact with the privileged OpenVPN interactive service.
The OpenVPN plugin system on Windows does not restrict the locations from which plugin files can be loaded. An attacker can place a malicious DLL library in any location accessible to the process and then trick the application into loading it. The loaded plugin gains the ability to interact with the privileged OpenVPN Interactive Service, which runs with elevated system privileges.
An attacker can execute arbitrary code with system privileges, leading to complete system compromise, disclosure of sensitive data, and violation of system integrity and availability.
OpenVPN should be updated to a version higher than 2.6.9, which restricts the directories from which plugins can be loaded. Details are available in the official security advisory from the vendor: https://openvpn.net/security-advisory/ovpnx-vulnerability-cve-2024-27903-cve-2024-27459-cve-2024-24974/
OpenVPN version 2.6.9 and earlier running on Windows
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOpenvpn
APPOpenvpn< 2.5.102.6.0 – 2.6.10 (bez)
Related vulnerabilities
OpenVPN: heap buffer over-read przy parsowaniu adresów IP
OpenVPN: Wstrzyknięcie danych przez nieoczyszczone wiadomości PUSH_REPLY
Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavoir, leaking memory buffers or rem...
OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when...
A cross-protocol scripting issue was discovered in the management interface in OpenVPN through 2.4.5. When thi...