A new vulnerability in the VPN service SaferVPN is discovered that could allow for local privilege escalation on Windows systems. The researcher mmht3t disovered this vulnerability and briefly exploited as below:
- When SaferVPN attempts to connect to a VPN server it spawns the OpenVPN executable in the context of NT AUTHORITY\SYSTEM;
- The VPN then tries to load an openssl.cnf configuration file from a non-existing folder (C:\etc\ssl\openssl.cnf);
- This will allow a low-privileged users is able to create folders under C:\ on Windows, and it’s possible for them to create the appropriate path and place a crafted openssl.cnf file in it;
- Once OpenVPN starts in SaferVPN, this file can load a malicious OpenSSL engine library which results in arbitrary code execution as SYSTEM.
<p><span lang=\"EN-US\">With VPN usage more important than ever due to mass remote working, it is vital these vulnerabilities are patched at the earliest opportunity, so it is disappointing to learn that this was not updated within the 90 day disclosure time. However, this also highlights the time and expertise being spent on targeting all aspects of information security. With millions now at home, VPN usage has increased dramatically, which has put a dent in threat actors’ attack vectors. The sophistication of these actors should never be underestimated and it is everyone’s responsibility to patch security vulnerabilities as soon as possible.</span></p>