There was a buffer overflow vulnerability in tap-windows6 version 9.21.1, in adapter.c, where the code was failing to check the size of a registry string read by NdisReadConfiguration before copying it to a fixed length buffer. The vulnerability could potentially allow arbitrary code execution in the kernel context of a signed driver, however it requires local Admin privileges to exploit. Further details are available in the reporter's GitHub repository.

This problem has been fixed in tap-windows6 version 9.21.2, which is bundled with openvpn-install-2.3.10-I604 and later. The I00x installers do not have this vulnerability, because they bundle the old NDIS 5-based tap-windows driver. The source code for the fix is available on GitHub.

Last modified 7 years ago Last modified on 05/05/16 07:17:51