Two OpenVPN-based virtual private network clients have reportedly updated their software after a researcher discovered that a previous attempt to patch an arbitrary code execution vulnerability was not entirely effective.
According to Cisco Systems' Talos division, the bugs in Switzerland-based ProtonVPN (CVE-2018-4010) and Panama-based NordVPN (CVE-2018- 3952) can allow attackers in Windows environments to use a specially crafted configuration file to elevate privileges to administrator, and then execute code. Officially described as the "improper neutralization of special elements used in an operating system command," the bugs were both assigned a high CVSS score of 8.8.
The original bug found in both products (CVE-2018-10169) was discovered last April in a "connect" functionality that prompts the VPNs' "service" component to receive orders to execute the OpenVPN configuration from the user interface. "To trigger this vulnerability, the attacker must add a parameter such as 'plugin' or 'script-security' in the OpenVPN configuration file," Talos explains in security advisories for both VPNs [1, 2]. "In this context, the plugin or the script will be executed by OpenVPN, which is executed by the service running as system."
Although NordVPN and ProtonVPN both published patches to check for such exploits, Talos senior software engineer Paul Rascagneres later discovered while examining the OpenVPN source code of the configuration file parser that the fixes could be bypassed, Cisco explains in a blog post further describing the issue. However, the latest round of patches apparently have eliminated this bypass technique.
In a brief statement, a NordVPN spokesperson said that the company patched the vulnerability "more than a month ago."
ProtonVPN also issued a statement: "Later versions of ProtonVPN have resolved this issue and an update has been rolled out to all users. It is important to note that an attacker needs to already have access to the target's computer for this exploit to work, and it only impacts Windows users. The fix we have implemented should eliminate all bugs of this nature, and we continue to work with independent security researchers around the globe to make ProtonVPN more secure through our bug bounty program."