Exploit for Securepoint SSL VPN Client 2.0.30 Local Privilege Escalation CVE-2021-35523

Name: Exploit for Securepoint SSL VPN Client 2.0.30 Local Privilege Escalation CVE-2021-35523
Rating: 5 (111 reviews)
2021-06-30 | CVSS 0.6
## https://sploitus.com/exploit?id=PACKETSTORM:163320
Local Privilege Escalation in Securepoint SSL VPN Client 2.0.30  
  
Metadata  
===================================================  
Release Date: 29-Jun-2021  
Author: Florian Bogner @ https://bee-itsecurity.at  
Affected product: Securepoint SSL VPN Client   
Fixed in: version 2.0.32  
Tested on: Windows 10 x64 fully patched  
CVE: CVE-2021-35523  
URL: https://bogner.sh/2021/06/local-privilege-escalation-in-securepoint-ssl-vpn-client-2-0-30/  
Vulnerability Status: Fixed with new release  
  
Vulnerability Description (copied from the CVE Details)  
===================================================  
Securepoint SSL VPN Client v2 before 2.0.32 on Windows has unsafe configuration handling that enables local privilege escalation to NT AUTHORITY\SYSTEM. A non-privileged local user can modify the OpenVPN configuration stored under "%APPDATA%\Securepoint SSL VPN" and add a external script file that is executed as privileged user.  
  
A full vulnerability description is available here: https://bogner.sh/2021/06/local-privilege-escalation-in-securepoint-ssl-vpn-client-2-0-30/   
  
Suggested Solution  
===================================================  
End-users should update to the latest available version.  
  
Disclosure Timeline  
===================================================  
14.04.2021: The vulnerability was discovered and reported to security@securepoint.de  
15.04.2021: The report was triaged  
26.04.2021: Securepoint SSL VPN Client Version 2.0.32 was released, which contains an initial fix for the vulnerability  
23.06.2021: Securepoint SSL VPN Client Version 2.0.34 was released, which contains additional security measures.  
28.06.2021: CVE-2021-35523 was assigned: https://nvd.nist.gov/vuln/detail/CVE-2021-35523   
29.06.2021: Responsible disclosure in cooperation with Securepoint: https://github.com/Securepoint/openvpn-client/security/advisories/GHSA-v8p8-4w8f-qh34  
  
___________  
  
Florian Bogner  
Information Security Expert, Speaker  
  
Bee IT Security Consulting GmbH  
Nibelungenstraße 37  
3123 A-Schweinern  
  
Mail: florian.bogner@bee-itsecurity.at  
Web: https://www.bee-itsecurity.at