Commit 8795ccfd25 to openvpn-build made the NSIS installer manage services using SimpleSC NSIS plugin. The new service management commands did not properly quote service paths which created a subtle medium-level vulnerability. The vulnarability can be exploited if two conditions are met:

  • The C:\ drive is writeable by limited user(s)
  • OpenVPN was installed using official OpenVPN 2.4 Windows installers

Users of such systems are urged to upgrade to openvpn-install-2.4.3-I602 or later as soon as possible.

Thanks to Jason Haar for finding and reporting this issue! The original Nessus report is available below.

Original Nessus report


The remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace. A local attacker can gain elevated privileges by inserting an executable file in the path of the affected service.

Note that this is a generic test that will flag any application affected by the described vulnerability.


Ensure that any services that contain a space in the path enclose the path in quotes.

See Also


Nessus found the following services with an untrusted path:

  • OpenVPNServiceLegacy : C:\Program Files\OpenVPN\bin\openvpnserv.exe
  • OpenVPNServiceInteractive : C:\Program Files\OpenVPN\bin\openvpnserv.exe
Last modified 6 years ago Last modified on 07/25/17 15:04:29