Date: 2020-02-28
Author: Andrew Hess
Software Link: https://openvpn.net/client-connect-vpn-for-windows/
Version: 3.1.0.361 (MSI)
CVE: CVE-2020-9442
2019.12.15 - Vulnerability discovered
2019.12.15 - Initial contact with the vendor
2020.01.xx - Vendor Patch - 3.1.1 (378) beta
Implemented a fix for a security issue related to the location of installation files
This is the official OpenVPN Connect client software for Windows workstation platforms developed and maintained by OpenVPN Inc. This is the recommended client program for the OpenVPN Access Server to enable VPN for Windows. The latest version of OpenVPN for Windows is available on our website.
If you have an OpenVPN Access Server, it is recommended to download the OpenVPN Connect client software directly from your own Access Server, as it will then come pre configured for use for VPN for Windows. The version available here contains no configuration to make a connection, although it can be used to update an existing installation and retain settings.
The permissive folder permission in "C:\ProgramData\OpenVPN Connect" allows an attacker without admin rights to place a malicious DLL next to tapinstall.exe. As soon as OpenVPN client is installed or upgraded, the malicious DLL is loaded by tapinstall and the shellcode is executed.
DEVRTL.dll SPINF.dll drvstore.dll DEVOBJ.dll newdev.dll VCRUNTIME140.dll
- Drop a malicious drvstore.dll in C:\ProgramData\OpenVPN Connect\drivers\tap\amd64\win10
- Install openvpn-connect-3.1.0.361_signed.msi
- Shellcode is executed with the SYSTEM account
A possible attacker obtains system privileges