How Linux VPN Use Can Make You Secure
Virtual Private Networks (VPNs) initially enable off-site employees to access business networks remotely yet privately via an insecure Internet connection (public network). And that’s no
“All Access Server
customers using the ‘Desktop Client’ app for Windows should upgrade
immediately to the OpenVPN Connect client. The ‘Desktop Client’ is
obsolete and is no longer maintained or available for download. This
client contains a CSRF (Cross Site Request Forgery) vulnerability that
can allow remote code execution by a malicious web site,”
“It is also bundled with an older
version of OpenSSL that has not received recent OpenSSL security
updates. This advisory only applies to the OpenVPN Access Server
‘Desktop Client’ app for Windows, and does not affect OpenVPN Connect,
Private Tunnel, or community builds of OpenVPN for Windows.” OpenVPN
reported in the advisory.
“Remote
attackers can execute arbitrary code and execute other attacks on
computers with the OpenVPN Access Server “Desktop Client” installed.
Affected users should upgrade immediately to the OpenVPN Connect
client.” the SEC Consult advisory states.
“The
OpenVPN Access Server ‘Desktop Client’ consists of two parts, a Windows
service that offers an XML-RPC API via a webserver on localhost and a GUI component that connects to this API,”“The XML-RPC API is vulnerable to Cross-Site Request Forgery (CSRF). Using the API commands an attacker can: unmask a victim (e.g. by
disconnecting an established VPN connection), perform MITM attacks (by
connecting the victim to an ‘evil’ VPN server), execute arbitrary code
with SYSTEM privileges (by adding a VPN profile that executes code).”
SEC Consult has provided a video proof of concept for the OpenVPN Access Server ‘Desktop Client’ vulnerability.
Industrial Cybersecurity
September 28, 2023
Want always be up to date?
By subscribing to our mailing list, you will be enrolled to receive our new trainings, latest blog posts, product news, and more.
Transform your cybersecurity skills with CIP Cyber’s comprehensive training & course offerings
Virtual Private Networks (VPNs) initially enable off-site employees to access business networks remotely yet privately via an insecure Internet connection (public network). And that’s no
Privacy, anonymity, and security is the main concern for an online user. Many VPN service providers claim that their service helps the user protect their
Most people protect their laptops and computers from potential cyber-attacks but only consider the cybersecurity of their mobile devices when it’s too late. In recent
Want always be up to date?
By subscribing to our mailing list, you will be enrolled to receive our new trainings, latest blog posts, product news, and more.
Transform your cybersecurity skills with CIP Cyber’s comprehensive training & course offerings