CVE-2020-9442: 
NixOS vulnerability analysis and mitigation

OpenVPN Connect 3.1.0.361 on Windows contains a privilege escalation vulnerability identified as CVE-2020-9442, discovered on December 15, 2019. The vulnerability stems from insecure permissions set for the directory %PROGRAMDATA%\OpenVPN Connect\drivers\tap\amd64\win10, which enables local users to escalate privileges by placing a malicious drvstore.dll file in this location (GitHub Exploit).

The vulnerability exists due to permissive folder permissions in 'C:\ProgramData\OpenVPN Connect' that allow unprivileged users to place malicious DLL files alongside tapinstall.exe. When OpenVPN client is installed or upgraded, the malicious DLL is loaded by tapinstall, executing the shellcode with SYSTEM privileges. The specific DLLs searched by tapinstall include DEVRTL.dll, SPINF.dll, drvstore.dll, DEVOBJ.dll, newdev.dll, and VCRUNTIME140.dll. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The successful exploitation of this vulnerability allows a local attacker to elevate their privileges to SYSTEM level access on the affected Windows system. This enables the attacker to execute arbitrary code with the highest system privileges (GitHub Exploit).

The vulnerability was patched in OpenVPN Connect version 3.1.1 (378) beta, released in January 2020. Users should upgrade to this version or later to protect against this vulnerability (GitHub Exploit).