Risk Rating:
High
Description:
Securepoint SSL VPN Client v2 on Windows has an unsafe configuration handling that enables local privilege escalation to NT AUTHORITY\SYSTEM.
Impact:
A non-privileged local user can modify the openvpn configuration stored at %APPDATA%\Securepoint SSL VPN\config${name}${name}.ovpn and add a external script file that is executed as privileged user.
Affected Product:
Securepoint SSL VPN Client v2 2.0.31 or earlier.
Workaround:
No workaround available.
Solution:
Securepoint SSL VPN Client v2 upgrade to 2.0.32 or newer
Patches:
-
SSL VPN v2 versions 2.0.32 contains a check for the script security setting higher than 1(build-in-tools). Additionally the openvpn executable 2.5.1 is also patched to prevent a script security higher than 1.
-
SSL VPN v2 versions 2.0.33 contains a protection to modify the openvpn configuration in the appdata application directory(%APPDATA%\Securepoint SSL VPN\config*).
The openvpn executable 2.5.2 is also patched to prevent a script security higher than 1(like in 2.0.32).
Additionally the openvpn configuration will be started from a restricted location after it is not unauthorized modified. The unauthorized modified protection is implemented by a checksum of the configuration content.
Setting a new checksum of a configuration is only possible if the user has administrator privilege. If UAC is enabled, the UAC dialog appears.
Credit:
Thanks to Florian Bogner, Co-Founder of Bee IT Security (https://bee-itsecurity.at/) for reporting this vulnerability under responsible disclosure.
References:
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/
https://bogner.sh/2021/04/local-privilege-escalation-in-securepoint-ssl-vpn-client-2-0-30/
For more information:
If you have any questions or comments about this advisory:
Open an issue in project repo
Email us at security@securepoint.de
Risk Rating:
High
Description:
Securepoint SSL VPN Client v2 on Windows has an unsafe configuration handling that enables local privilege escalation to NT AUTHORITY\SYSTEM.
Impact:
A non-privileged local user can modify the openvpn configuration stored at %APPDATA%\Securepoint SSL VPN\config${name}${name}.ovpn and add a external script file that is executed as privileged user.
Affected Product:
Securepoint SSL VPN Client v2 2.0.31 or earlier.
Workaround:
No workaround available.
Solution:
Securepoint SSL VPN Client v2 upgrade to 2.0.32 or newer
Patches:
SSL VPN v2 versions 2.0.32 contains a check for the script security setting higher than 1(build-in-tools). Additionally the openvpn executable 2.5.1 is also patched to prevent a script security higher than 1.
SSL VPN v2 versions 2.0.33 contains a protection to modify the openvpn configuration in the appdata application directory(%APPDATA%\Securepoint SSL VPN\config*).
The openvpn executable 2.5.2 is also patched to prevent a script security higher than 1(like in 2.0.32).
Additionally the openvpn configuration will be started from a restricted location after it is not unauthorized modified. The unauthorized modified protection is implemented by a checksum of the configuration content.
Setting a new checksum of a configuration is only possible if the user has administrator privilege. If UAC is enabled, the UAC dialog appears.
Credit:
Thanks to Florian Bogner, Co-Founder of Bee IT Security (https://bee-itsecurity.at/) for reporting this vulnerability under responsible disclosure.
References:
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/
https://bogner.sh/2021/04/local-privilege-escalation-in-securepoint-ssl-vpn-client-2-0-30/
For more information:
If you have any questions or comments about this advisory:
Open an issue in project repo
Email us at security@securepoint.de