Changes between Initial Version and Version 1 of UnquotedServicePathIn24WindowsInstallers


Ignore:
Timestamp:
07/25/17 14:59:34 (7 years ago)
Author:
Samuli Seppänen
Comment:

Add security announcement for openvpn-install-2.4.3-I602

Legend:

Unmodified
Added
Removed
Modified
  • UnquotedServicePathIn24WindowsInstallers

    v1 v1  
     1= Introduction =
     2
     3Commit [https://github.com/OpenVPN/openvpn-build/commit/8795ccfd251b8252122dec43e6327a74856d17db 8795ccfd25] to openvpn-build made the NSIS installer manage services using SimpleSC NSIS plugin. The new service management commands did not properly quote service paths which created a subtle vulnerability.
     4
     5The vulnerability can be easily exploited, but only on systems where the C:\ drive is writeable by limited user(s). Users of such systems are urged to upgrade to openvpn-install-2.4.3-I602 or later as soon as possible.
     6
     7Thanks to Jason Haar for finding and reporting this issue! The original Nessus report is available below.
     8
     9= Original Nessus report =
     10
     11== Description ==
     12
     13The remote Windows host has at least one service installed that uses an
     14unquoted service path, which contains at least one whitespace. A local
     15attacker can gain elevated privileges by inserting an executable file in
     16the path of the affected service.
     17
     18Note that this is a generic test that will flag any application affected
     19by the described vulnerability.
     20
     21== Solution ==
     22
     23Ensure that any services that contain a space in the path enclose the
     24path in quotes.
     25
     26== See Also ==
     27
     28* http://www.nessus.org/u?84a4cc1c
     29* http://cwe.mitre.org/data/definitions/428.html
     30* https://www.commonexploits.com/unquoted-service-paths/
     31* http://www.nessus.org/u?4aa6acbc
     32
     33== Output ==
     34
     35Nessus found the following services with an untrusted path:
     36
     37* OpenVPNServiceLegacy : C:\Program Files\OpenVPN\bin\openvpnserv.exe
     38* OpenVPNServiceInteractive : C:\Program Files\OpenVPN\bin\openvpnserv.exe
     39