Changes between Initial Version and Version 1 of NSISBug1125


Ignore:
Timestamp:
09/22/17 11:51:30 (3 years ago)
Author:
Samuli Seppänen
Comment:

Add security announcement for NSIS bug #1125

Legend:

Unmodified
Added
Removed
Modified
  • NSISBug1125

    v1 v1  
     1OpenVPN Windows NSIS installers have three vulnerabilities described in [https://sourceforge.net/p/nsis/bugs/1125/ NSIS bug 1125]. The most serious of these issues (!#1) allows running unsolicited code and an escalation of privilege attack using DLL Search Order Hijacking ([https://capec.mitre.org/data/definitions/471.html CAPEC-471]) as OpenVPN installers are generally executed with Admin privileges. What NSIS/Windows does is actually prefer loading DLLs in the current directory, which in case of the Downloads folder is writable by the user. Thus the exploit is trivial to exploit, but only if the attacker has already managed to get a malicious DLL into user's Downloads folder
     2
     3The following installers have been built with an NSIS version which includes fixes for the three bugs:
     4
     5* openvpn-install-2.4.4-I601
     6* openvpn-install-2.3.18-I601
     7* openvpn-install-2.3.18-I001
     8
     9Based on our testing, though, Windows 7 may still suffer from at least problem !#1 as it is lacks the API calls used by the fix. Newer Windows versions - at least Windows 2012r2 - are not vulnerable if updated installers are used. Because this type of issues are very tricky to fully fix in executable installer we strongly recommend ''not'' to run any installers, including OpenVPN's, directly from the Downloads directory.
     10
     11Our long term plan is to start distributing OpenVPN as an MSI package instead.
     12
     13This issue was brought to our attention by Stefan Kanthak.
     14
     15Further details:
     16
     17* https://sourceforge.net/p/nsis/bugs/1125/
     18* https://capec.mitre.org/data/definitions/471.html
     19* https://msdn.microsoft.com/en-us/library/windows/desktop/hh310515%28v=vs.85%29.aspx
     20* http://blogs.msdn.com/b/larryosterman/archive/2004/07/19/187752.aspx