CVE-2023-27516: 
SoftEther VPN Server vulnerability analysis and mitigation

An authentication bypass vulnerability exists in the CiRpcAccepted() functionality of SoftEther VPN 4.41-9782-beta and 5.01.9674. A specially crafted network packet can lead to unauthorized access. The vulnerability was discovered by Lilith of Cisco Talos and was disclosed on October 12, 2023 (Talos Report).

The vulnerability exists in the SoftEther VPN client's RPC server component, which binds to TCP ports 9931-9936 on all interfaces. The RPC server uses a default password that is derived from an empty SHA0 hash, resulting in a predictable value of '\xf9\x6c\xea\x19\x8a\xd1\xdd\x56\x17\xac\x08\x4a\x3d\x92\xc6\x10\x77\x08\xc0\xef'. The CVSS score is 7.3 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L) (Talos Report).

If exploited, the vulnerability allows other local users to gain access to the RPC server, or remote users if configured for remote access. Attackers can install certificates to conduct man-in-the-middle attacks on VPN connections and potentially dump VPN authentication settings, leading to further compromise of the VPN endpoint (Talos Report).

The vendor has released a patch to address this vulnerability. Users should upgrade to the latest version of SoftEther VPN. The fix was released on June 30, 2023 (SoftEther Advisory).

The vulnerability was part of a larger security audit that discovered nine vulnerabilities in the SoftEther VPN solution. The findings were significant enough to warrant public disclosure and patches, highlighting the importance of securing VPN software used for protecting against censorship and eavesdropping (Talos Blog).