CVE-2021-27406

Name of the Vulnerable Software and Affected Versions PerFact OpenVPN-Client versions 1.4.1.0 and prior

Description The issue allows an attacker to send the config command from any application running on the local host machine to force the back-end server into initializing a new open-VPN instance with arbitrary open-VPN configuration. This could result in the attacker achieving execution with privileges of a SYSTEM user. The vulnerability is related to errors in system settings or configuration, which can be exploited by a remote attacker to execute arbitrary code or elevate privileges.

Recommendations For PerFact OpenVPN-Client versions 1.4.1.0 and prior, consider restricting access to the config command to prevent unauthorized initialization of new open-VPN instances until a patch is available. As a temporary workaround, restrict the ability of local applications to send the config command to the back-end server.