OpenVPN Connect 3.1.0.361 on Windows has Insecure Permissions for %PROGRAMDATA%\OpenVPN Connect\drivers\tap\amd64\win10, which allows local users to gain privileges by copying a malicious drvstore.dll there.

Recent assessments:

wolfthefallen at February 28, 2020 10:58pm UTC reported:

Research of OpenVPN Connect 3.1.0.361 dll drop “Privilege Escalation”

This vulnerability is stated to be a Privilege escalation vulnerability. Unfortunately the droped dll of drvstore.dll in C:\ProgramData\OpenVPN Connect\drivers\tap\amd64\win10 is only executed when the openvpn-connect-3.1.0.361_signed.msi is ran to install OpenVPN Connect. Due to most common settings of windows you already have to have administrative privileges to install applications. So this gets downgraded pretty heavily for usability as privilege escalation. In addition

I can see it used as a one time use to get your initial shell as a unique method to run your malicious dll. This would by pass the general monitoring methods to launch a malicious dll box. Unfortunately to use this method again, you will have to uninstall OpenVPN Connect and then reinstall. On the bright side you will not have to drop the evil DLL again after the uninstallation of OpenVPN Connect.

You can run the msi silently from an administrator command line by using msiexec.exe /i openvpn-connect-3.1.0.361_signed.msi /qn

Information:

CVE: <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9442&gt;
Public Release: <https://github.com/hessandrew/CVE-2020-9442&gt;

J3rryBl4nks at March 02, 2020 10:23pm UTC reported:

Research of OpenVPN Connect 3.1.0.361 dll drop “Privilege Escalation”

This vulnerability is stated to be a Privilege escalation vulnerability. Unfortunately the droped dll of drvstore.dll in C:\ProgramData\OpenVPN Connect\drivers\tap\amd64\win10 is only executed when the openvpn-connect-3.1.0.361_signed.msi is ran to install OpenVPN Connect. Due to most common settings of windows you already have to have administrative privileges to install applications. So this gets downgraded pretty heavily for usability as privilege escalation. In addition

I can see it used as a one time use to get your initial shell as a unique method to run your malicious dll. This would by pass the general monitoring methods to launch a malicious dll box. Unfortunately to use this method again, you will have to uninstall OpenVPN Connect and then reinstall. On the bright side you will not have to drop the evil DLL again after the uninstallation of OpenVPN Connect.

You can run the msi silently from an administrator command line by using msiexec.exe /i openvpn-connect-3.1.0.361_signed.msi /qn

Information:

CVE: <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9442&gt;
Public Release: <https://github.com/hessandrew/CVE-2020-9442&gt;

Assessed Attacker Value: 2
Assessed Attacker Value: 2Assessed Attacker Value: 4