Local Privilege Escalation in Securepoint SSL VPN Client 2.0.30 Metadata =================================================== Release Date: 29-Jun-2021 Author: Florian Bogner @ https://bee-itsecurity.at Affected product: Securepoint SSL VPN Client Fixed in: version 2.0.32 Tested on: Windows 10 x64 fully patched CVE: CVE-2021-35523 URL: https://bogner.sh/2021/06/local-privilege-escalation-in-securepoint-ssl-vpn-client-2-0-30/ Vulnerability Status: Fixed with new release Vulnerability Description (copied from the CVE Details) =================================================== Securepoint SSL VPN Client v2 before 2.0.32 on Windows has unsafe configuration handling that enables local privilege escalation to NT AUTHORITY\SYSTEM. A non-privileged local user can modify the OpenVPN configuration stored under "%APPDATA%\Securepoint SSL VPN" and add a external script file that is executed as privileged user. A full vulnerability description is available here: https://bogner.sh/2021/06/local-privilege-escalation-in-securepoint-ssl-vpn-client-2-0-30/ Suggested Solution =================================================== End-users should update to the latest available version. Disclosure Timeline =================================================== 14.04.2021: The vulnerability was discovered and reported to security@securepoint.de 15.04.2021: The report was triaged 26.04.2021: Securepoint SSL VPN Client Version 2.0.32 was released, which contains an initial fix for the vulnerability 23.06.2021: Securepoint SSL VPN Client Version 2.0.34 was released, which contains additional security measures. 28.06.2021: CVE-2021-35523 was assigned: https://nvd.nist.gov/vuln/detail/CVE-2021-35523 29.06.2021: Responsible disclosure in cooperation with Securepoint: https://github.com/Securepoint/openvpn-client/security/advisories/GHSA-v8p8-4w8f-qh34 ___________ Florian Bogner Information Security Expert, Speaker Bee IT Security Consulting GmbH Nibelungenstraße 37 3123 A-Schweinern Mail: florian.bogner@bee-itsecurity.at Web: https://www.bee-itsecurity.at