The Shimo VPN client for Mac systems contains six privilege escalation vulnerabilities that have yet to be patched by its developers, researchers from Cisco's Talos division reported yesterday.
Shimo is a product that allows users to connect multiple VPN accounts to a single application. Discovered by Cisco Labs researcher Tyler Bohan, all six flaws were found in Shimo VPN client version 220.127.116.11's "helper tool," which Talos says is used to accomplish certain privileged work.
In a blog post, Talos describes five of the vulnerabilities as exploitable, while noting that all six require local access to the machine.Three of them can allow attackers to elevate privileges to root. A fourth can enable a non-root users to kill privileged processes, while another lets attackers delete protected files and yet another can be exploited to execute user-supplied script arguments under root context.
Please register to continue.
Already registered? Log in.
Once you register, you'll receive:
The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.
Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.
SC Media’s essential morning briefing for cybersecurity professionals.
One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.