Lenze: VPN Client Privilege Escalation in combination with Lenze x500 IoT Gateway

The Lenze VPN client is vulnerable to a Local Privilege Escalation to root/SYSTEM by executing a configuration file which can be controlled by a non-privileged user. This occurs through a race condition exploit, where an attacker can overwrite the temporary OpenVPN configuration file located in a world-writable directory. By injecting malicious commands into the configuration file prior to its execution by the VPN client, an attacker can trigger arbitrary code execution with root/system privileges when a VPN connection is initiated. The vulnerability has been remediated in the version 1.4.4 of the Lenze VPN client.
Due to some further developments and completion of the functional scope, it is recommended to update the firmware of the x500 IoT Gateway devices immediately, regardless of the current security vulnerability in the VPN client.

This vulnerability allows local non-privileged users to escalate their privileges to root or SYSTEM by exploiting a race condition in the Lenze VPN Client. Successful exploitation could lead to full system compromise, enabling attackers to execute arbitrary code with elevated privileges.

Obtain the updated VPN software (version >= 1.4.4) from cloud.lenze.digital/fleet-manager/too... and run the installer on a windows and macOS system or run the following
commands in an linux system:
tar -xzf vpn_client_x64.tar.gz
cd vpn_client_x64
sudo ./install