Changes between Initial Version and Version 1 of NSISBug1125

09/22/17 11:51:30 (7 years ago)
Samuli Seppänen

Add security announcement for NSIS bug #1125


  • NSISBug1125

    v1 v1  
     1OpenVPN Windows NSIS installers have three vulnerabilities described in [ NSIS bug 1125]. The most serious of these issues (!#1) allows running unsolicited code and an escalation of privilege attack using DLL Search Order Hijacking ([ CAPEC-471]) as OpenVPN installers are generally executed with Admin privileges. What NSIS/Windows does is actually prefer loading DLLs in the current directory, which in case of the Downloads folder is writable by the user. Thus the exploit is trivial to exploit, but only if the attacker has already managed to get a malicious DLL into user's Downloads folder
     3The following installers have been built with an NSIS version which includes fixes for the three bugs:
     5* openvpn-install-2.4.4-I601
     6* openvpn-install-2.3.18-I601
     7* openvpn-install-2.3.18-I001
     9Based on our testing, though, Windows 7 may still suffer from at least problem !#1 as it is lacks the API calls used by the fix. Newer Windows versions - at least Windows 2012r2 - are not vulnerable if updated installers are used. Because this type of issues are very tricky to fully fix in executable installer we strongly recommend ''not'' to run any installers, including OpenVPN's, directly from the Downloads directory.
     11Our long term plan is to start distributing OpenVPN as an MSI package instead.
     13This issue was brought to our attention by Stefan Kanthak.
     15Further details: