Security Holes Discovered in 2 Popular VPN Services

VPN (Virtual Private Network) is a method that can be used to add security and privacy to private and public networks such as WiFi Hotspots and the Internet. Usually, these VPNs are used by the corporation to protect confidential data. There are a huge number of VPN service providers across the internet market. One can get them at reliable price with the Black Friday VPN deals. But now, it is increasingly becoming so popular. Privacy is increased by the VPN because the users initial IP is masked by the one from the VPN provider. Subscribers get an IP address from any gateway city the VPN service provides.

However, In recent times, Researchers had found that two most popular VPNs were exposed to a serious vulnerability that could let the attackers run arbitrary code on affected computers.

Cisco Talos, a leading-edge cyber threat intelligence team providing various strategic solutions for network cyber-attacks. Based on the information obtained from the Talos researchers, two popular VPN builds have vulnerabilities due to the desktop clients accessed VPN services.

The vulnerabilities are CVE-2018-3952, which impacts on NordVPN and CVE-2018-4010 found in ProtonVPN builds, lead to the privilege escalation attack. These are similar to a problem discovered previously by VerSprite in April 2018, CVE-2018-10169. These vulnerabilities have the ability to abuse the service and allow the standard users to implement the arbitrary codes through OpenVPN with the administrator privileges.

This might have never been detected if not for a separate exploit that both providers patched several months ago. Following the CVE-2018-10169, the researcher of Talos started to look for similar exploits. And recently they found that it is still possible to bypass the patches.

Both the VPN clients execute the binaries with the permission of the logged-in user. This application allows the user to select the VPN configuration. For instance, the NordVPN or ProtonVPN client can activate a VPN connection with a server at a particular location. The client now executed the required binary to make the connection on your system. The CVE-2018-10169 allowed the attackers to replace a malicious OpenVPN file which could seize a connection.

The NordVPN and ProtonVPN deployed a fix for this in the month of April. But Talos discovered a coding mistake in the patch, as a result, it was still possible to run the arbitrary codes when the user selects to connect. Cisco Talos alerted the VPN service providers to hold the disclosure till new patches were pushed.

As a result, The NordVPN started to implement an XML model to generate the OpenVPN configuration files, so that the non-administrator cannot modify the XML template. The ProtonVPN encountered this flaw by replacing the OpenVPN configuration files into installation directory where a non-administrator user cannot edit them.

At the time, the Cisco disclosed the CVE details, the vulnerability had already been fixed. An automatic update was pushed to all the customers by the beginning of August. This eliminated any risk of the vulnerability being exploited in real life condition.

The users are asked to make sure to update their client to the latest VPN builds. Both the VPN builds are intense to point out that there is no evidence of the vulnerability being exploited.

Leave a Reply