| 1 | = Introduction = |
| 2 | |
| 3 | Commit [https://github.com/OpenVPN/openvpn-build/commit/8795ccfd251b8252122dec43e6327a74856d17db 8795ccfd25] to openvpn-build made the NSIS installer manage services using SimpleSC NSIS plugin. The new service management commands did not properly quote service paths which created a subtle vulnerability. |
| 4 | |
| 5 | The vulnerability can be easily exploited, but only on systems where the C:\ drive is writeable by limited user(s). Users of such systems are urged to upgrade to openvpn-install-2.4.3-I602 or later as soon as possible. |
| 6 | |
| 7 | Thanks to Jason Haar for finding and reporting this issue! The original Nessus report is available below. |
| 8 | |
| 9 | = Original Nessus report = |
| 10 | |
| 11 | == Description == |
| 12 | |
| 13 | The remote Windows host has at least one service installed that uses an |
| 14 | unquoted service path, which contains at least one whitespace. A local |
| 15 | attacker can gain elevated privileges by inserting an executable file in |
| 16 | the path of the affected service. |
| 17 | |
| 18 | Note that this is a generic test that will flag any application affected |
| 19 | by the described vulnerability. |
| 20 | |
| 21 | == Solution == |
| 22 | |
| 23 | Ensure that any services that contain a space in the path enclose the |
| 24 | path in quotes. |
| 25 | |
| 26 | == See Also == |
| 27 | |
| 28 | * http://www.nessus.org/u?84a4cc1c |
| 29 | * http://cwe.mitre.org/data/definitions/428.html |
| 30 | * https://www.commonexploits.com/unquoted-service-paths/ |
| 31 | * http://www.nessus.org/u?4aa6acbc |
| 32 | |
| 33 | == Output == |
| 34 | |
| 35 | Nessus found the following services with an untrusted path: |
| 36 | |
| 37 | * OpenVPNServiceLegacy : C:\Program Files\OpenVPN\bin\openvpnserv.exe |
| 38 | * OpenVPNServiceInteractive : C:\Program Files\OpenVPN\bin\openvpnserv.exe |
| 39 | |