OTPulse
FeedAboutContact

PerFact OpenVPN-Client

Plan Patch8.8ICS-CERT ICSA-21-056-01Feb 25, 2021
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

PerFact OpenVPN-Client versions 1.4.1.0 and earlier contain a privilege escalation vulnerability that could allow a user to execute arbitrary code on the local system through a malicious webpage. Successful exploitation could grant an attacker elevated privileges on the client system, potentially compromising the VPN connection and any connected control systems. Version 1.6.0 mitigates this vulnerability.

What this means
What could happen
An attacker with valid user credentials could execute code on systems running PerFact OpenVPN-Client, potentially gaining control of remote access to your control network or compromising the connected engineering workstation.
Who's at risk
Organizations using PerFact OpenVPN-Client for remote access to industrial control networks should care about this issue. This affects engineering workstations, remote access systems, and any Windows-based device used to connect to PLCs, RTUs, SCADA systems, or other industrial equipment over a VPN.
How it could be exploited
An attacker would need valid credentials to log into a system running PerFact OpenVPN-Client and trick a user into visiting a malicious webpage. The webpage exploits a privilege escalation flaw to run arbitrary code with elevated privileges on the client system, potentially compromising VPN access or the workstation itself.
Prerequisites
  • Valid user credentials for the system running OpenVPN-Client
  • User must visit a malicious webpage while logged in
  • OpenVPN-Client version 1.4.1.0 or earlier installed
Remotely exploitable via malicious webpageRequires valid user credentialsAffects VPN security for OT networksLow complexity attack
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (1)
ProductAffected VersionsFix Status
OpenVPN-Client:≤ 1.4.1.01.6.0
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDEducate users not to visit untrusted webpages from systems running OpenVPN-Client, especially engineering workstations
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade PerFact OpenVPN-Client to version 1.6.0 or later
Long-term hardening
0/2
HARDENINGRestrict network access to systems running OpenVPN-Client from untrusted networks and the Internet
HARDENINGIsolate VPN client systems and engineering workstations from the business network using network segmentation or separate VLANs
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/c3c6cb8f-818f-452e-84d2-cb1ec64dae69
PerFact OpenVPN-Client | CVSS 8.8 - OTPulse