CVE-2023-7235: OpenVPN Vulnerability Puts Windows Users at Risk

by do son · February 21, 2024

OpenVPN has released version 2.6.9 for Windows, Mac, and Linux, addressing a severe privilege escalation vulnerability (CVE-2023-7235). This flaw, discovered by Will Dormann, affects Windows GUI installations of OpenVPN.

During non-standard OpenVPN GUI installations on Windows, insufficient permissions are applied to the installation directory. Due to Windows’ permissive defaults, this allows any user on the machine to modify files within this directory. An attacker exploiting this flaw could replace core OpenVPN components with malicious code, potentially gaining significant control upon the next OpenVPN service restart.

“Due to Windows defaulting to very open permissions by default, any user on this directory outside of standard system paths will be writable to anyone. This enables an attacker to replace the OpenVPN service component with some other code allowing the attacker to get more control over the host next time the OpenVPN service process is restarted,” OpenVPN wrote in its security bulletin.

Privilege escalation is a critical stage in many attack chains. Once an attacker has a foothold on a system, even as a low-level user, their focus shifts to elevating their privileges. This can unlock the ability to install malware, steal data, disrupt operations, or spread laterally across the network.

Due to the severity of CVE-2023-7235 and to benefit from OpenVPN 2.6.9’s improvements, it is strongly advised that all users download and install version 2.6.9.

You can read the full changelog for version 2.6.9 below:

Security fixes:

Windows Installer: fix CVE-2023-7235 where installing to a non-default
directory could lead to a local privilege escalation. Reported by Will Dormann.

New features:

Add support for building with mbedTLS 3.x.x
New option --force-tls-key-material-export to only accept clients
that can do TLS keying material export to generate session keys
(mostly an internal option to better deal with TLS 1.0 PRF failures).
Windows: bump vcpkg-ports/pkcs11-helper to 1.30
Log incoming SSL alerts in easier to understand form and move logging
from --verb 8 to --verb 3.
protocol_dump(): add support for printing --tls-crypt packets

User visible changes:

License change is now complete, and all code has been re-licensed
under the new license (still GPLv2, but with new linking exception
for Apache2 licensed code). See COPYING for details.

Code that could not be re-licensed has been removed or rewritten.
The original code for the --tls-export-cert feature has been removed
(due to the re-licensing effort) and rewritten without looking at the
original code. Feature-compatibility has been tested by other developers,
looking at both old and new code and documentation, so there should
not be a user-visible change here.
IPv6 route addition/deletion are now logged on the same level (3) as
for IPv4. Previously IPv6 was always logged at --verb 1.
Better handling of TLS 1.0 PRF failures in the underlying SSL library
(e.g. on some FIPS builds) – this is now reported on startup, and
clients before 2.6.0 that can not use TLS EKM to generate key material
are rejected by the server. Also, error messages are improved to see
what exactly failed.