Network Security, Patch/Configuration Management, Vulnerability Management

ProtonVPN and NordVPN reinforce incomplete patch for code execution bug

Two OpenVPN-based virtual private network clients have reportedly updated their software after a researcher discovered that a previous attempt to patch an arbitrary code execution vulnerability was not entirely effective.

According to Cisco Systems' Talos division, the bugs in Switzerland-based ProtonVPN (CVE-2018-4010) and Panama-based NordVPN (CVE-2018- 3952) can allow attackers in Windows environments to use a specially crafted configuration file to elevate privileges to administrator, and then execute code. Officially described as the "improper neutralization of special elements used in an operating system command," the bugs were both assigned a high CVSS score of 8.8.

The original bug found in both products (CVE-2018-10169) was discovered last April in a "connect" functionality that prompts the VPNs' "service" component to receive orders to execute the OpenVPN configuration from the user interface. "To trigger this vulnerability, the attacker must add a parameter such as 'plugin' or 'script-security' in the OpenVPN configuration file," Talos explains in security advisories for both VPNs [1, 2]. "In this context, the plugin or the script will be executed by OpenVPN, which is executed by the service running as system."

Although NordVPN and ProtonVPN both published patches to check for such exploits, Talos senior software engineer Paul Rascagneres later discovered while examining the OpenVPN source code of the configuration file parser that the fixes could be bypassed, Cisco explains in a blog post further describing the issue. However, the latest round of patches apparently have eliminated this bypass technique.

In a brief statement, a NordVPN spokesperson said that the company patched the vulnerability "more than a month ago." 

ProtonVPN also issued a statement: "Later versions of ProtonVPN have resolved this issue and an update has been rolled out to all users. It is important to note that an attacker needs to already have access to the target's computer for this exploit to work, and it only impacts Windows users. The fix we have implemented should eliminate all bugs of this nature, and we continue to work with independent security researchers around the globe to make ProtonVPN more secure through our bug bounty program."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.