Friday April 26, 2019 08:37

Popular VPNs contained code execution security flaws,

Posted by Randy

The Patches bid to a vulnerability in two popular VPN builds had led to the detection of separate bugs that had to be resolved promptly. In recent times the researches have discovered vulnerabilities in the popular VPN (Virtual Private Network) software, Nord VPN and Proton VPN which may lead to the accomplishment of arbitrary code by the attackers.

Cisco Talos, the world’s largest hub of security intelligence that works tirelessly to detect and encounter the cyber-attack strategies. Few weeks before, The Cisco Talos intelligence researchers found two similar flaws in Nord and Proton VPN builds. CVE-2018-3952 and CVE-2018-4010 are the vulnerabilities that are detected.

CVE-2018-3952, the first bug, is related to NordVPN, a VPN service which has for over one million users all over the world. CVE-2018-4010, impacts ProtonVPN, a new VPN client which started as a crowdfunding project.

These vulnerabilities allow the attackers to execute code as an administrator on Microsoft Windows system from a standard user.

The vulnerabilities are similar to a security flaw CVE-2018-10169, which was discovered previously by VerSprite in April 2018. In the same month both the clients applied similar security patches to fix this vulnerability. However, the Cisco Talos found a way to bypass this Patch. They proved that, despite the fix, the execution of code as an administrator on the system is still possible, though some different means of exploit.

Both the Clients have the same design. Their User Interface executes the binaries with the permission of the logged in user. This application allows the users to configure the VPN such as the protocol, the location of the VPN server, etc.

It is an OpenVPN configuration file. This information is sent to a service when the user clicks connect. The binaries are used to receive orders from the user’s interface. The goal is to execute the OpenVPN Client binary with the user configuration file with the administrator privilege. The vulnerabilities detected, abuse this service and allow the standard user to execute the arbitrary command with the administrator privilege via OpenVPN.

The vulnerability reads that the connect method goes with a class instance argument which provides the control of the OpenVPN command line to the attacker. The attacker can specify an active library plugin that should run for every new VPN connection, which will implement the code in the system user context.

This malignant OpenVPN file content may lead to the tampering with the VPN service, information disclosure, and hijacking through the arbitrary commands. Both Proton VPN and Nord VPN providers implemented similar patch control mechanism for the OpenVPN configuration file content.

But, recently Talos found that the code executed contains some small coding vulnerability that will permit to bypass the fix.  The researches found this during the testing- session of ProtonVPN VPN version 1.5.1 and NordVPN version

In order to resolve this problem, the NordVPN developed a patch, while it took a little longer for Proton to create a fix earlier this month. XML model is used to generate OpenVPN configuration files and this cannot be modified by the users. Later, The the OpenVPN configuration are relocated to the installation directory, in which the users cannot edit it.

Users have to update you ProtonVPN and NordVPN build as soon as possible in order to avoid such compromise of these bugs.

Comment Form