CVE-2021-35523 – This vulnerability allows local unprivileged us... (How to Fix)

Q: What is the severity of CVE-2021-35523?

CVE-2021-35523 has a CVSS score of 7.8 (HIGH). This vulnerability allows local unprivileged users on Windows systems to escalate privileges to SYSTEM level by modifying OpenVPN configuration files. It affects Securepoint SSL VPN Client v2 installations where non-admin users can write to the application's configuration directory. Attackers can add malicious scripts that execute with elevated privileges.

📋 TL;DR

This vulnerability allows local unprivileged users on Windows systems to escalate privileges to SYSTEM level by modifying OpenVPN configuration files. It affects Securepoint SSL VPN Client v2 installations where non-admin users can write to the application's configuration directory. Attackers can add malicious scripts that execute with elevated privileges.

💻 Affected Systems

Products:

Securepoint SSL VPN Client v2

Versions: Versions before 2.0.32

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires local user access to modify files in %APPDATA%\Securepoint SSL VPN directory.

📦 What is this software?

Openvpn Client by Securepoint

View all CVEs affecting Openvpn Client →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains full SYSTEM privileges, enabling complete system compromise, credential theft, persistence establishment, and lateral movement capabilities.

🟠

Likely Case

Malicious insider or compromised user account escalates to SYSTEM to install malware, steal sensitive data, or disable security controls.

🟢

If Mitigated

With proper access controls and patching, impact is limited to failed privilege escalation attempts that can be detected and logged.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local access to the system.

🏢 Internal Only: HIGH - Any compromised or malicious local user account can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires local user access but no special privileges. Multiple public proof-of-concept exploits exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.32 or later

Vendor Advisory: https://github.com/Securepoint/openvpn-client/security/advisories/GHSA-v8p8-4w8f-qh34

Restart Required: Yes

Instructions:

1. Download Securepoint SSL VPN Client v2.0.32 or later from official sources. 2. Uninstall previous version. 3. Install updated version. 4. Restart system.

🔧 Temporary Workarounds

Restrict configuration directory permissions

windows

Set restrictive ACLs on the Securepoint SSL VPN configuration directory to prevent non-admin users from modifying files.

icacls "%APPDATA%\Securepoint SSL VPN" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" /deny "Users:(OI)(CI)(W)"

Disable script execution in OpenVPN config

all

Modify OpenVPN configuration to disable script execution or validate script paths.

Add 'script-security 0' to OpenVPN configuration files to disable script execution

🧯 If You Can't Patch

Remove write permissions for non-admin users on %APPDATA%\Securepoint SSL VPN directory
Monitor for unauthorized modifications to OpenVPN configuration files and script execution events

🔍 How to Verify

Check if Vulnerable:

Check if Securepoint SSL VPN Client version is below 2.0.32 and verify non-admin users have write access to %APPDATA%\Securepoint SSL VPN directory.

Check Version:

Check program version in Control Panel > Programs and Features or run the VPN client and check About section.

Verify Fix Applied:

Verify installed version is 2.0.32 or higher and test that non-admin users cannot modify files in the configuration directory.

📡 Detection & Monitoring

Log Indicators:

Unauthorized file modifications in %APPDATA%\Securepoint SSL VPN directory
Execution of unexpected scripts by SYSTEM account
OpenVPN configuration changes from non-admin users

Network Indicators:

Unusual outbound connections from SYSTEM context following VPN client activity

SIEM Query:

EventID=4688 AND NewProcessName LIKE '%script%' AND SubjectUserName='SYSTEM' AND ParentProcessName LIKE '%openvpn%'

📊 Metadata

CVE ID: CVE-2021-35523

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: June 28, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/163320/Securepoint-SSL-VPN-Client-2.0.30-Local-Privilege-Escalation.html Exploit,Third Party Advisory
http://seclists.org/fulldisclosure/2021/Jun/59 Mailing List,Third Party Advisory
https://bogner.sh/2021/04/local-privilege-escalation-in-securepoint-ssl-vpn-client-2-0-30/ Exploit,Third Party Advisory
https://github.com/Securepoint/openvpn-client/security/advisories/GHSA-v8p8-4w8f-qh34 Third Party Advisory
http://packetstormsecurity.com/files/163320/Securepoint-SSL-VPN-Client-2.0.30-Local-Privilege-Escalation.html Exploit,Third Party Advisory
http://seclists.org/fulldisclosure/2021/Jun/59 Mailing List,Third Party Advisory
https://bogner.sh/2021/04/local-privilege-escalation-in-securepoint-ssl-vpn-client-2-0-30/ Exploit,Third Party Advisory
https://github.com/Securepoint/openvpn-client/security/advisories/GHSA-v8p8-4w8f-qh34 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-35523, you might also want to check these: