Changes between Initial Version and Version 1 of UnquotedServicePathIn24WindowsInstallers

07/25/17 14:59:34 (4 years ago)
Samuli Seppänen

Add security announcement for openvpn-install-2.4.3-I602


  • UnquotedServicePathIn24WindowsInstallers

    v1 v1  
     1= Introduction =
     3Commit [ 8795ccfd25] to openvpn-build made the NSIS installer manage services using SimpleSC NSIS plugin. The new service management commands did not properly quote service paths which created a subtle vulnerability.
     5The vulnerability can be easily exploited, but only on systems where the C:\ drive is writeable by limited user(s). Users of such systems are urged to upgrade to openvpn-install-2.4.3-I602 or later as soon as possible.
     7Thanks to Jason Haar for finding and reporting this issue! The original Nessus report is available below.
     9= Original Nessus report =
     11== Description ==
     13The remote Windows host has at least one service installed that uses an
     14unquoted service path, which contains at least one whitespace. A local
     15attacker can gain elevated privileges by inserting an executable file in
     16the path of the affected service.
     18Note that this is a generic test that will flag any application affected
     19by the described vulnerability.
     21== Solution ==
     23Ensure that any services that contain a space in the path enclose the
     24path in quotes.
     26== See Also ==
     33== Output ==
     35Nessus found the following services with an untrusted path:
     37* OpenVPNServiceLegacy : C:\Program Files\OpenVPN\bin\openvpnserv.exe
     38* OpenVPNServiceInteractive : C:\Program Files\OpenVPN\bin\openvpnserv.exe