OpenVPN is advising users of its Desktop Client to upgrade as soon as possible to avoid attacks against a CSRF vulnerability that can allow remote code execution.
The vulnerability lies in a product that the company no longer supports and considers obsolete. An attacker could exploit the vulnerability if a user running a vulnerable version visits the attacker’s malicious site. Researchers at SEC Consult in Austria discovered the vulnerability and reported it to OpenVPN back in May.
“The OpenVPN Access Server ‘Desktop Client’ consists of two parts, a Windows service that offers an XML-RPC API via a webserver on localhost and a GUI component that connects to this API,” the SEC Consult advisory says.
“The XML-RPC API is vulnerable to Cross-Site Request Forgery (CSRF). Using the API commands an attacker can: unmask a victim (e.g. by disconnecting an established VPN connection), perform MITM attacks (by connecting the victim to an ‘evil’ VPN server), execute arbitrary code with SYSTEM privileges (by adding a VPN profile that executes code).”
OpenVPN provides several different VPN and security services, but the only one affected by this vulnerability is the company’s Desktop Client for its Access Server, an SSL VPN for a variety of platforms. The vulnerability is only in the Windows versions of the software.
“All Access Server customers using the ‘Desktop Client’ app for Windows should upgrade immediately to the OpenVPN Connect client. The ‘Desktop Client’ is obsolete and is no longer maintained or available for download. This client contains a CSRF (Cross Site Request Forgery) vulnerability that can allow remote code execution by a malicious web site,” OpenVPN said in its advisory to customers.
“It is also bundled with an older version of OpenSSL that has not received recent OpenSSL security updates. This advisory only applies to the OpenVPN Access Server ‘Desktop Client’ app for Windows, and does not affect OpenVPN Connect, Private Tunnel, or community builds of OpenVPN for Windows.”