OpenVPN Windows NSIS installers have three vulnerabilities described in ​NSIS bug 1125. The most serious of these issues (#1) allows running unsolicited code and an escalation of privilege attack using DLL Search Order Hijacking (​CAPEC-471) as OpenVPN installers are generally executed with Admin privileges. What NSIS/Windows does is actually prefer loading DLLs in the current directory, which in case of the Downloads folder is writable by the user. Thus the exploit is trivial to exploit, but only if the attacker has already managed to get a malicious DLL into user's Downloads folder

The following installers have been built with an NSIS version which includes fixes for the three bugs:

• openvpn-install-2.4.4-I601
• openvpn-install-2.3.18-I601
• openvpn-install-2.3.18-I001

Based on our testing, though, Windows 7 may still suffer from at least problem #1 as it is lacks the API calls used by the fix. Newer Windows versions - at least Windows 2012r2 - are not vulnerable if updated installers are used. Because this type of issues are very tricky to fully fix in executable installer we strongly recommend not to run any installers, including OpenVPN's, directly from the Downloads directory.

Our long term plan is to start distributing OpenVPN as an MSI package instead.

This issue was brought to our attention by Stefan Kanthak.

Further details:

• ​https://sourceforge.net/p/nsis/bugs/1125/
• ​https://capec.mitre.org/data/definitions/471.html
• ​https://msdn.microsoft.com/en-us/library/windows/desktop/hh310515%28v=vs.85%29.aspx
• ​http://blogs.msdn.com/b/larryosterman/archive/2004/07/19/187752.aspx