Two OpenVPN-based virtual private network clients have reportedly updated their software after a researcher discovered that a previous attempt to patch an arbitrary code execution vulnerability was not entirely effective.
According to Cisco Systems' Talos division, the bugs in Switzerland-based ProtonVPN (CVE-2018-4010) and Panama-based NordVPN (CVE-2018- 3952) can allow attackers in Windows environments to use a specially crafted configuration file to elevate privileges to administrator, and then execute code. Officially described as the "improper neutralization of special elements used in an operating system command," the bugs were both assigned a high CVSS score of 8.8.
The original bug found in both products (CVE-2018-10169) was discovered last April in a "connect" functionality that prompts the VPNs' "service" component to receive orders to execute the OpenVPN configuration from the user interface. "To trigger this vulnerability, the attacker must add a parameter such as 'plugin' or 'script-security' in the OpenVPN configuration file," Talos explains in security advisories for both VPNs [1, 2]. "In this context, the plugin or the script will be executed by OpenVPN, which is executed by the service running as system."
Please register to continue.
Already registered? Log in.
Once you register, you'll receive:
The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.
Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.
SC Media’s essential morning briefing for cybersecurity professionals.
One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.