The Lenze VPN client is vulnerable to a Local Privilege Escalation to root/SYSTEM by executing a configuration file which can be controlled by a non-privileged user. This occurs through a race condition exploit, where an attacker can overwrite the temporary OpenVPN configuration file located in a world-writable directory. By injecting malicious commands into the configuration file prior to its execution by the VPN client, an attacker can trigger arbitrary code execution with root/system privileges when a VPN connection is initiated. The vulnerability has been remediated in the version 1.4.4 of the Lenze VPN client. Due to some further developments and completion of the functional scope, it is recommended to update the firmware of the x500 IoT Gateway devices immediately, regardless of the current security vulnerability in the VPN client.

This vulnerability allows local non-privileged users to escalate their privileges to root or SYSTEM by exploiting a race condition in the Lenze VPN Client. Successful exploitation could lead to full system compromise, enabling attackers to execute arbitrary code with elevated privileges.

Remediation

Obtain the update software (version >= 1.4.4) from https://cloud.lenze.digital/fleet-manager/tools and run the installer on a windows and macOS system or run the following commands in an linux system:
tar -xzf vpn_client_x64.tar.gz
cd vpn_client_x64
sudo ./install

General Recommendations

The cyber security documentation currently describes some of the implemented functions and is thus intended to provide clarity in the functions described here.

CERT@VDE coordinated with Lenze SE