CVE-2022-25165: 
Amazon AWS VPN Client vulnerability analysis and mitigation

A TOCTOU (Time-of-check Time-of-use) race condition vulnerability was discovered in Amazon AWS VPN Client version 2.0.0. The vulnerability, identified as CVE-2022-25165, allows parameters outside of the AWS VPN Client allow list to be injected into the configuration file before the AWS VPN Client service (running as SYSTEM) processes the file. This vulnerability was discovered in February 2022 and was fixed in version 3.0.0 (AWS Security Bulletin, Rhino Security Labs).

The vulnerability exists during the validation of VPN configuration files, where a race condition allows dangerous arguments to be injected by a low-level user. Specifically, when file paths are supplied to directives that accept file paths as arguments (such as auth-user-pass), the AWS VPN Client performs validation by executing a file open operation on the path. The vulnerability has a CVSS v3.1 base score of 7.0 (HIGH) with vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability can lead to information disclosure where a user's Net-NTLMv2 hash can be leaked via a UNC path in a VPN configuration file. Additionally, it enables arbitrary file writes as SYSTEM with partial control over the file's content, which can be exploited for privilege escalation or denial of service (Rhino Security Labs).

AWS has addressed these vulnerabilities in AWS VPN Client version 3.0.0. Users are recommended to upgrade to the latest version immediately to ensure defense in depth. The updated version can be downloaded from the official AWS website (AWS Security Bulletin).