= Introduction =

Commit [https://github.com/OpenVPN/openvpn-build/commit/8795ccfd251b8252122dec43e6327a74856d17db 8795ccfd25] to openvpn-build made the NSIS installer manage services using SimpleSC NSIS plugin. The new service management commands did not properly quote service paths which created a subtle medium-level vulnerability. The vulnarability can be exploited if two conditions are met:

* The C:\ drive is writeable by limited user(s)
* OpenVPN was installed using official '''OpenVPN 2.4''' Windows installers

Users of such systems are urged to upgrade to openvpn-install-2.4.3-I602 or later as soon as possible.

Thanks to Jason Haar for finding and reporting this issue! The original Nessus report is available below.

= Original Nessus report =

== Description ==

The remote Windows host has at least one service installed that uses an
unquoted service path, which contains at least one whitespace. A local
attacker can gain elevated privileges by inserting an executable file in
the path of the affected service.

Note that this is a generic test that will flag any application affected
by the described vulnerability.

== Solution ==

Ensure that any services that contain a space in the path enclose the
path in quotes.

== See Also ==

* http://www.nessus.org/u?84a4cc1c
* http://cwe.mitre.org/data/definitions/428.html
* https://www.commonexploits.com/unquoted-service-paths/
* http://www.nessus.org/u?4aa6acbc

== Output ==

Nessus found the following services with an untrusted path: 

* OpenVPNServiceLegacy : C:\Program Files\OpenVPN\bin\openvpnserv.exe
* OpenVPNServiceInteractive : C:\Program Files\OpenVPN\bin\openvpnserv.exe