OpenVPN Access Server Desktop Client is vulnerable

OpenVPN developers recommend that users who use the client for the desktop, make an immediate update. This is due to the possibility of an attack of the type CSRF, with the help of which attackers can gain remote access to the victim’s computer.


Austrian security researchers discovered this vulnerability back in May of this year. When using outdated software, visiting a malicious site, the user risks giving access to his PC.

OpenVPN Access Server consists of two parts:
1) Service, which provides the possibility of interaction between the server and the user in the form of XML-RPC.
2) The user interface that connects to the service through the API.
')
The XML-RPC API is vulnerable to cross-site request forgery (CSRF). Using some API commands allows an attacker to get the real IP address of the victim, redirect traffic to its own servers (MITM attack), and also to achieve the execution of arbitrary code with system privileges on the user's computer.
OpenVPN provides several different VPN and security services, but only the Windows desktop client is vulnerable.

All clients using the desktop application on Windows should change it to OpenVPN Connect.

Video demonstration of vulnerability