Attacker Value
Low
(2 users assessed)
Exploitability
High
(2 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
0

CVE-2020-9442

Disclosure Date: February 28, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

OpenVPN Connect 3.1.0.361 on Windows has Insecure Permissions for %PROGRAMDATA%\OpenVPN Connect\drivers\tap\amd64\win10, which allows local users to gain privileges by copying a malicious drvstore.dll there.

Add Assessment

4
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    High
Technical Analysis

Research of OpenVPN Connect 3.1.0.361 dll drop “Privilege Escalation”

This vulnerability is stated to be a Privilege escalation vulnerability. Unfortunately the droped dll of drvstore.dll in C:\ProgramData\OpenVPN Connect\drivers\tap\amd64\win10 is only executed when the openvpn-connect-3.1.0.361_signed.msi is ran to install OpenVPN Connect. Due to most common settings of windows you already have to have administrative privileges to install applications. So this gets downgraded pretty heavily for usability as privilege escalation. In addition

I can see it used as a one time use to get your initial shell as a unique method to run your malicious dll. This would by pass the general monitoring methods to launch a malicious dll box. Unfortunately to use this method again, you will have to uninstall OpenVPN Connect and then reinstall. On the bright side you will not have to drop the evil DLL again after the uninstallation of OpenVPN Connect.

You can run the msi silently from an administrator command line by using msiexec.exe /i openvpn-connect-3.1.0.361_signed.msi /qn

Information:

CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9442
Public Release: https://github.com/hessandrew/CVE-2020-9442

4
Ratings
Technical Analysis

Due to the need to have an upgrade or an install trigger in order for this privesc to work, the value of the exploit to an attacker is decreased. You can drop your .dll and wait for an eventually privileged process to spawn as a result of the exploit, but you might have to wait a long time.

CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • openvpn

Products

  • connect

Additional Info

Technical Analysis