Popular VPNs Contained Code Execution Security Flaws, Despite Patches

Researchers have uncovered vulnerabilities in popular virtual private network (VPN) software, ProtonVPN and NordVPN, which can lead to the execution of arbitrary code by attackers. From a report: Last week, Cisco Talos security researchers said the security flaws, CVE-2018-3952 and CVE-2018-4010, permit code execution by attackers on Microsoft Windows machines. The vulnerabilities are similar to a Windows privilege escalation security flaw uncovered by VerSprite, which is tracked as CVE-2018-10169. Security patches were applied in April by both clients to resolve the original security hole, but according to Talos, "despite the fix, it is still possible to execute code as an administrator on the system." The initial vulnerability was caused by similar design issues in both clients. The interface for both NordVPN and ProtonVPN execute binaries with the permission of a logged-in user, and this includes the selection of a VPN configuration option, such as a desired VPN server location. This information is sent to a service when "connect" is clicked by way of an OpenVPN configuration file. However, VerSprite was able to create a crafted OpenVPN file which could be sent to the service, loaded, and executed.

Why does this keep happening?

[goombah99]

Intuitively, why can't we come up with some simple conduits that are sufficiently simple and vetted that we can be reasonably sure that ill conditioned inputs can't escape the sandbox. Then and only then build the convenience features on top of this?

Perhaps today's XKCD explains this very problem quite well. Firewalls prevent easy communications between component services.

true. But for a VPN there are a just a few enumerable things it actually needs to do correctly. It doesn't actually need admin priveledges to carry the message just admin priveledges to set up the network tunnels. So how is it possible one can't write a system where the message can execute as root?

I suspects is' because people see some speed shortcut similar ot Active-X or ssh -Y xwindows that values shorcuts.

Re:Why does this keep happening?

Intuitively, why can't we come up with some simple conduits that are sufficiently simple and vetted that we can be reasonably sure that ill conditioned inputs can't escape the sandbox.

We can. The "sufficiently simple and vetted" conduit is called OpenSSH.

https://help.ubuntu.com/community/SSH_VPN

Re:Why does this keep happening?

[cfalcon]

In the general case, the reason we can't make "sufficiently simple and vetted that we can be reasonably sure that ill conditioned inputs can't escape the sandbox" is because no one is willing to take the hit in functionality.

As other comments have pointed out, the correct version of this is OpenVPN. But that doesn't allow all the (presumably configuration-related) things that these guys wanted, so they distributed a binary instead that can take commands remotely. Fundamentally, what they want to do could be done safely, but no matter how you slice it, doing that correctly is going to cost them something. They might have to open source something, or pay auditors, or spend a lot of extra time on something.

Another more obvious example is HTTP. People did come up with extensions to this, that exist within the idea of simple and well behaved descriptions, but eventually there was the desire to download and run a program in a web browser, which we see implemented over and over again (with javascript the current winner). There's way too much interest in something that solves a general case and is very powerful, and sure enough, we see vulnerability after vulnerability.

It honestly feels like a "last mile" problem.

Re:Why does this keep happening?

[SpzToid]

Obligatory XKCD: https://xkcd.com/2044

Re:Why does this keep happening?

Dood! The Internets are made out of kludges, work-arounds and code snippets copied from Stackoverflow.com. I can't image that VPN software is any better. Anyone who would trust their information to that mess probably gets what they deserve.

Re:Why does this keep happening?

[darkain]

Just an FYI, but the programs in question *ARE* OpenVPN based.

Re:Why does this keep happening?

[Njovich]

The amount of time required to validate that a piece of networked software is secure to absolute certainty approaches infinity.

Re:Why does this keep happening?

[PPH]

But for a VPN there are a just a few enumerable things it actually needs to do correctly.

In the *NIX world: Build a bunch of simple utilities that do one thing each very well. If you need complex setup/configuration abilities, wrap it all in some administrative shell scripts.

In the Windows world: It all has to be bundled into a one-size-fits-all hairball of point and click administrative functions.

Re:Why does this keep happening?

[skids]

so they distributed a binary instead that can take commands remotely.

This is a fundamental mistake most people make with cryptography... they do not
realize that the negotiation of configuration options is not a safe operation that just
points an underlying secure tool to the correct endpoints/protocols. It is part of the
security.

Heck even the IPSec standard writers screwed this up a tiny bit (you can downgrade
an IPSec session if you have MITM on the first couple packets of ISAKMP exchange
and both sides have low-grade protocols in their offers). So nobody should expect
a bunch of hotshot "app" developers to get it right.

Every. Byte. Of. Every. Part. Of. The. Initial. Negotiation. Must. Be. Carefully. Validated.

Nowadays we have these 3rd-party VPN overlays that fire up all sorts of crazy crap
to try to auto-configure themselves both for and from a resource-diverse, redundant
cloud service... what could possibly go wrong?

Keep your VPNs simple, stupid.

Re:Why does this keep happening?

[nine-times]

Well reading your post only leads me back around to this question: Why are these VPN services writing their own client anyway?

I understand that a VPN client should theoretically not be doing anything terribly complicated and so shouldn't be too hard to write. At the same time, why are they writing their own clients at all? After decades of dealing with VPN, how is it that we still don't have a simple, open, trouble-free VPN system built into the OS?

As far I can can tell, the biggest problem is the same problem that we're having throughout computing: nobody wants to invest in standards. Tech companies like Google and Microsoft and Cisco will only spend money to develop and secure a solution where they then have a lock on their own proprietary protocols and formats, in order to prevent real competition. If someone else comes up with an open standard, you get some kind of NIH syndrome which explained by another older xkcd comic.

We need to create standards again, instead of each tech company trying to build their own little walled garden. I know having open standards or even FOSS doesn't prevent there from being security issues, but at least it allows interested parties to work together on them.

Re:Why does this keep happening?

[b0bby]

Agreed; why don't they at least just say "use the OpenVPN client"?

Of course the most likely answer is "because they want to make it harder to switch VPN providers".

Re:Why does this keep happening?

[tlhIngan]

Just an FYI, but the programs in question *ARE* OpenVPN based.

The problem is not OpenVPN. It's everything around it. Configuring a VPN can be tricky or trivial, depending on how many parameters one needs to type in exactly. Some VPN providers have step by step walkthroughs that show every dialog, and every piece of information you need to enter and where to enter it. And of course, there's the one-click installer that does it all for you so you don't have to bother. Because face it - the people who normally use VPNs can't configure worth crap - you can walk them through and they'll make a typo and not notice it and it doesn't work.

And when it comes to corporate settings, things get screwier. We use a SSL VPN as an alternative system - it works on port 443 (SSL) which lets employees generally connect back on even the most restrictive of firewalls. (If you can't make an HTTPS connection, there are more serious issues).

Re:Why does this keep happening?

[gweihir]

It is basically a mixture of sabotage (e.g. as IPsec was sabotaged by the NSA by making it very complicated), too cheap development, incompetent developers and management, "Not Invented Here" stupidity and KISS violations. SSH-Tunneling via OpenSSH has had no vulnerabilities for a long time now, but it also has had no new features, because it does not need them.

All this is well-known and you even find these effects in the literature on software engineering. But the people making these bad decisions and designing and implementing these bad implementations are typically completely unaware.

Re:Why does this keep happening?

[AHuxley]

People want a VPN in an their new OS. In a smart phone. With a faster internet. For less to pay per month. Complexity sets in as an OS changes.

Re: Why does this keep happening?

I don't know about NordVPN, but ProtonVPN provides config files for OpenVPN. This is actually a default method of using it on Linux/*BSDs/WhatNots.

A combination of

[WCMI92]

Cheap Indian programmers and the CIA.

The CIA won't have communications that they cannot bug.

Re:A combination of

"The CIA won't have communications that they cannot bug."
Don't forget the NSA,FBI FSB, SIS(MI6), MSS (China), ASIS, CSIS, DGSE, RAW, SVR, and the Mossad. And these intelligence services only the ones ranked in the top 10. Then there are the ones nobody has ever heard of. If you are going to whine about the US intelligence agencies please do so in the correct context. Only in the US will you see people demanding that their covert intelligence agencies become more transparent. The actions of these social justice warriors directly and unequivocally benefit both the enemies and allies of the US. And on a related matter Snowden should start worrying about losing his sanctuary in Russia. The arrested a Russian citizen and charged her with some serious crimes. Russia is demanding she be released and the US now has someone to trade. For the right deal Putin would put Snowden on a direct flight to the US in 15 minutes.

Re:A combination of

[AHuxley]

Turmoil, Apex, TURBULENCE https://en.wikipedia.org/wiki/.... Digital Network Crypt Applications with GALLANTWAVE, MALIBU Architecture, Transform Engine Emulator.
All ways the security services never had to consider VPN users an issue and always had global collect it all.

Believe it

[AlanObject]

A few months back I was running OpenVPN in a VM on one of my main Ubuntu systems. I haven't had time to research it or figure out how but someone managed to use an exploit to install a bitcoin miner on it. I only noticed because the 2 CPUs assigned to the VM reported 100% all the time.

So it happens.

Re:Believe it

Probably had very little to do with OpenVPN though and more to do with you not knowing how to secure a system.

Re:Believe it

[panja]

Always an Anonymous Coward making comments like this.

Re:Believe it

We are often more knowledgeable than those who bother creating accounts.

Re:Believe it

[Mashiki]

Once you know what the miner is, it's trivial to figure out what the infection vector is. I ran across a server used for an insurance company a month back doing the same thing. How'd it get on there? Because someone decided to take it for a tour on the web using an unpatched version of IE.

Re:Believe it

[AlanObject]

Probably had very little to do with OpenVPN though and more to do with you not knowing how to secure a system.

None of my other Ubuntu VMs with public IP addresses on that very same hypervisor were affected. Not before or since.

Your incorrect conclusions have little to do with my knowledge or lack there of and more to do with your arrogant ignorance.

Re: Believe it

So let's get this straight, you are BLAMING openvpn for installing a miner on your computer. Because that is the claim you are making.

I find that hard to believe that YOU were the only one this happen to.

Re:Believe it

[gweihir]

That sounds like an automated attack. You probably were behind on patching or made a common configuration mistake. At least you noticed.

It's on WIndows

[hcs_$reboot]

For a change, TFS tells which OS is targeted by these attacks. Thanks!

Re:It's on WIndows

W0t? Someone really had to tell you it is Windows?

For now, but let's face facts... apk

See subject: Once Linux (if it ever does & yes, Linux user here for months now AGAIN & probably into the future from now on) takes more usershare, the more it will be attacked - & I CAN GUARANTEE THAT with proof: Look @ Android being attacked once it took a HUGE chunk of smartphone usershare (same w/ iOS). It can & will happen on a simple principle I like to always use for an analogy:

Criminals like pickpockets do NOT attack 'crowds of 1' - they go to where the crowds are for more victims, period (like crowded city streets or train/subway stations & other crowded throughfares).

It's just how it is & all you can do is your best to keep abreast of where threats are + to block them out (& they are coming way, Way, WAY FASTER the past few years now than ever before in decades past, I know - I track this in my hosts file & firewall rules tables from TONS of security news/sites TRYING my best to stall them or block them out) & learn as best you can to "do a job right, do it yourself" & learn all you can to protect yourself.

APK

P.S.=> I know you're not stupid & neither are most here. You guys all KNOW this IS how it is & about all you can do, is your best... apk

Re:For now, but let's face facts... apk

Well, the simple truth is that there already more Linux machines than Windows machines out there and Linux has Mandatory Access Control that works - Windows doesn't. Unfortunately Google's Android doesn't use MAC and it therefore suffers from the same kind of problems as Windows - even so, the problems only affect a small fraction of phones/tablets.

Built-in Windows VPN

Windows has support for IPSec with IKEv2 that at least ProtonVPN supports. The speeds you can reach with it are 2-3x higher than OpenVPN.

Yes & routers are being attacked too

Yes, & routers are being attacked too - often based on Linux (another proof for me w/ ANDROID) but NOT on PC desktops afaik.

I'm one who went to Linux (to port an app of mine I note below) but I'm not the majority & neither are Linux users on the desktop. It HAS gotten nicer/better than last I used it consistently (2010) though, in its favor. It still does SOME things screwy (KDE tends to "LAG" for me for SOME reason I don't know @ times during the day, BUT does recover, for instance).

You're correct on ANDROID minus MAC std. Linux has, probably contributing to it on phones.

* Once other devices become "the norm" (vs. PC's for instance) they'll be attacked JUST like phones have been (which is WHY I personally "steer clear" of "smartphones" (which I consider DUMB phones due to what's happening on them)).

So, like I said? IF You have the time & inclination that is?? Do your best, learn all you can to TRY make your (& possibly others' rigs too) setup safer.

I've tried by giving away a ware of mine to help do so in my Hosts program since I do NOT like what I am seeing & have BEEN seeing increasing, the past few years now (in an increase of attackers worldwide).

APK

P.S.=> What bugs me MOST though is how software like browsers (& yes, OS even) are being turned into "advertising & tracking machines" sending who knows WHAT (often by default) & to where BY default... apk

Retard APK lies and runs from facts

Retard Alexander Peter Kowalski lies and runs from facts.
Like how he claims the Chinese copied him but can't produce any evidence.
How about when he states that hosts does port filtering but again can't backup his statement which was shown to be false.
There is also his list of "experts" who support him but it turns out they don't say what he is claiming.
This also ignores his out of context quotes he uses to lie by omission.
The problem with APK is that his entire reputation is built upon the lie he told years ago that hosts is an effective security solution. It has been exposed numerous times as being a lie and when exposed APK fails to argue logically and instead will try to deflect criticism, change the subject, move the goal posts, return to a previously disproved statement, demand you prove you did better than his file concatenator, or just call people names. Expect that he will used these tactics to try to deflect from these criticisms. He will continue to lie by stating that he won or "dusted" you while failing to refute anything you said, will never provide real evidence, and generally try to dodge the issue.

Face it APK is one of the most detested individuals here for good reason. When ever his poor behavior, awful logic, over statements, and horrendous writing are called out he has a fit and has done so for years across the internet. He is a spammer, and is an abusive insecure little man who is washed up and never amounted to anything. Until he produces actual verifiable facts supporting his case nothing he says should be taken seriously.

2 questions & on China... apk

See subject & 2 questions you won't answer: 1.) Do hosts stop threats served by hostname (the way threats are done most) by blocking them? Yes. 2.) Do hosts speed you up 2 ways in adblocking (preventing more infection/tracking/slowdown) & via hardcoded favorite sites resolving faster + protecting vs. dns down or redirect poisoned? Yes.

My hosts program's the only 1 that does the latter @ TOP of hosts cached in RAM (for best performance) & only 1 of its kind on Linux/BSD in easy to use flexible configuration GUI form.

(I also did that latter part LONG before the Chinese & 1st http://theregister.co.uk/2017/... )

APK

P.S.-> Have you done work that's that effective doing more for less faster in kernelmode speed (cpu priority) w/ less complexity for exploit + excess overheads vs. solutions KNOWN to be security-issue riddled (like addons (souled-out to NOT work by default OR easily detected & blocked that are BYPASSABLE & EXPLOITABLE), DNS & Antivirus)? No... apk

Security pros QUOTED on hosts vs. your lies

"classic Windows hosts trick to block the Coinhive or Crypto-Loot domains" - https://www.bleepingcomputer.comnews/security/a-new-player-joins-coinhive-on-the-browser-cryptojacking-scene/ - BLEEPING COMPUTER

SANS ("A related approach to the DNS issue is to create a hosts file on each system that sends requests for spyware to some place else. Both Ramu and an anonymous reader have suggested this" hosts by myself & RAMU right @ START of "malware explosion" mid 2005 on) https://isc.sans.edu/forums/di...

Aryeh Goretsky/ESET/NOD32: hosts = good security http://it.slashdot.org/comments.pl?sid=7442373&cid=49747129/

ZD NET http://www.zdnet.comarticle/how-to-use-a-hosts-file-to-improve-your-internet-experience/ "Hosts files really shine by letting you block ads, spyware sites, malware sites, & tracking sites"

Steve Gibson on hosts https://www.grc.comsn/sn-045.htm/

Oliver Day (SYMANTEC/SECURITYFOCUS) http://www.securityfocus.comcolumnists/491/

APK

Hosts efficacy this month alone

"It's working: Neville... it's working!" See subject & results from THIS month alone https://it.slashdot.org/commen... & https://it.slashdot.org/commen... + https://it.slashdot.org/commen... + https://it.slashdot.org/commen... that's only recently while I've been on Linux (few months now only) & 100's of times vs. MANY other botnets/malwares etc. in the past circa 2006-early 2018 while I was on Windows: There's BULLSHIT & doing nothing pessimsm & then? There's CONCRETE VISIBLE UNDENIABLE REALITY (see those links as proof).

P.S.=> ... & that's ONLY what /. reported on (there are FAR more)... apk

Thor SCHMUCK & ArseHoleTechnica LOL!

Arstechnica = losers who stalked me (as you do now anonymously unidentifiably) to NTCompatible.com & Windows IT Pro magazine forums to their public dismay in Jeremy Reimer & Jay Little + Jarrett DeAngelis (who posts here on /. until I drove his ass off too) when their websites were REMOVED by their hosting providers in Shaw Canada & CrystalTech (for both email harassing me caught on a tracking ticket + stalking me & posting lies about me on them AFTER I destroyed them both PUBLICLY @ Windows IT Pro on Exchange Servers memory being freed UNHALTING them (which tells you Exchange is HEAVILY POINTER ORIENTED linked list driven, which leads to memory fragmentation that CAN halt a serverware)).

Jay Little the "self-proclaimed 'EXCHANGE EXPERT'" HAD TO CONCEDE IT from MICROSOFT'S OWN DOCUMENTATION proving it FOR me there (where they as usual stalked me AS YOU ARE NOW)

Thor SCHMUCK?

Ask him WHY his false accusation of an old ware of mine was 1st taken down to NO threat & CA sold off the SHITTY antivir he sold (as a paid pawn of theirs) & they are GONE, done. dead... lol!

Lookup "CA Accounting Scandal" on Google - scumbags & THEIR BIRDS OF A FEATHER just go down vs. me everytime!

APK

P.S.=> TONS of Security experts KNOW blacklists work (no questions asked) & 3 things show I do it right:

1st = User praise my hosts engine https://tech.slashdot.org/comm... (so much for ME being "detested" but I'm not here to win a popularity contest - just here to WIN so everyone does).

2nd "ATTACKS" I GET (from UNIDENTIFIABLE ac as Elon Musk got https://tech.slashdot.org/stor... )

3rd BEING IMITATED = "Imitation = sincerest form of flattery" https://linux.slashdot.org/com... JUST LIKE CHINA DID ME TOO... apk

Retard APK can't stop with the failure

Retard Alexander Peter Kowalski just can't stop with the failure.
First he posts some deflections to try and get people to not pay attention to all the previously exposed failures.
Then he repeats his lie about the Chinese copying him and can't back it up with real facts, only wild ass speculation.
Then he deflects some more.
See APK has nothing and is a failure at everything, but as always the retarded man child just can't stop repeating his exposed lies as then he would have to admit to himself that he is a total failure.

For his first question the answer is yes but only after they have become well known and have been a threat for an extended time. Even at that it doesn't do jack for already infected systems and would be easily worked around. For his second question the answer is yes but even there there are better, faster, and more effective solutions that don't require someone spend 10s of minutes babysitting a shitty toy program in an attempt to gain milliseconds of speed when browsing. Also this ignores the slowness of linear searches which shitty hosts has to do and other can avoid because they don't suck like APK and his hosts file engine.

Wireguard

All these comments, and nobody is talking about Wireguard?

Retard APK repeats himself

Retard Alexander Peter Kowalski repeats himself more because he wants everyone to see his failure.
These experts he quotes were already show to not be saying what he is claiming yet he feels the need to continue repeating his unending failure.
He sure must like being shown to be a fucking retarded loser.

Now retard APK shows a list of his failures

Now we see retard Alexander Peter Kowalski is showing a list of his failures.
All I see there is a list of things his work failed to protect against until long after they were threats.
Must be hard having the jizz mopper of security solutions that only tries to mitigate the damage that has already been done.
As always retard APK is a day late and a dollar short with his solution that small children could figure out a work around for. I'll take any number of other solutions that actually stop entire categories of threats instead of one that can only stop a threat that happens to use host names after it has been around a long time, become large enough to get noticed, and then put into someones host file that I have to download with a slow bloated file concatenator that takes 10s of minutes to run.
Finally the retarded man child APK fails to understand what this month means.

are these forks?

[Paul+Carver]

The article isn't very clear. Are these forks of openvpn?

I mostly use Cisco AnyConnect for work and ssh tunneling for personal use, but I do have openvpn installed on my laptop and use it occasionally. I was thinking about installing it on my router and using it instead of ssh tunneling but I'm not sure if it's worth it.

I've never heard of either of the vpns mentioned in the article but the way the mix in mention of openvpn config files is confusing. Are the vulnerabilities only in proprietary forks of openvpn or could they be in the upstream code?

Anyone's welcome to examine those... apk

Anyone's welcome to examine those quotes I used & the links they came from here https://yro.slashdot.org/comme... to see YOU're a liar.

APK

P.S.=> A liar that HIDES from me by UNIDENTIFIABLE anonymous posts & who STALKS ME unceasingly - you're a pussy & a punk nobody (& you know it - so does everyone by this point)... apk

What you can't touch or can't touch you

What you can't touch or can't touch you (as it's blocked) is effective. They are STILL threats to those unprotected thus, stupid.

* Call me all the names you wish BUT HAVE YOU DONE BETTER? Hell no... lol!

All YOU do is HIDE from me by UNIDENTIFIABLE anonymous posts & STALK ME harassing me, you "ne'er-do-well" DO-NOTHING loser - but YOU certainly don't help the situation vs. malware etc. out there (but I do).

APK

P.S.=> I suspect you lack the SKILLS to create anything of value yourself actually... hence your JEALOUS "Lil' Jowie" self being HOW you are (a loser - sucks to be YOU).... apk

You're the failure hiding from me "ne'er-do-well"

You're the failure hiding from me "ne'er-do-well" & yes, you ARE a do-NOTHING "ne'er-do-well": Who did it 1st - China OR me? Me.

* Dates are ALL the proof I require!

(... & mind you - I'm the ONLY hosts program that does hardcoded favorites out there (that not only SPEED YOU UP but also make you more reliably connected vs. DNS down OR DNS redirect poisoned)).

APK

P.S.=> See subject you PSYCHOTIC pitiful JEALOUS "Lil' Jowie" loon who STALKS me by UNIDENTIFIABLE anonymous posts - I used to pity you being such a FAILURE You project you are - now, I realize you're probably SEVERELY mentally ill actually & obviously, YOU lack skills to produce anything of value others like & use (but I do)... apk

Retard APK tries to deflect some more

Retard Alexander Peter Kowalski tries to deflect some more from his unending failure.
Everyone can see his behavior put on display but he has to try to make himself look like he isn't a raging asshole retard.
After that he uses some out of context quotes where if he included all of them you would see people say that he is an asshole, and that he overstates what he and his work does.
Then he feeds his NPD because he can't admit he is a failure.
Finally he repeats the Chinese copied him lie yet again while still failing to provide any real evidence other than his own wild ass speculation while linking to someone who is making fun the mentally retarded APK.
Face it APK can't handle the truth and is so divorced from reality that he should probably be removed from the internet and likely put in an adult care facility. It would be for his own good as well as the greater community.

No, I merely stated verifiable facts... apk

See my subject line & seeing you PROJECT your abject "ne'er-do-well" STALKER failure onto me makes me laugh via your UNIDENTIFIABLE anonymous stalkings of me.

* Why not admit WHO you really are? You have something to HIDE (besides being a DO-NOTHING stalker & psychotic JEALOUS "Lil' Jowie" loon you clearly are)?? Yes, obviously...

By the way: I just LOVE your NPD Cry of the "ne'er-do-well" DO-NOTHING you give away you are by doing it.

APK

P.S.=> Grow up, get on topic & TRY to learn skills that make you valuable to others so you can be of service to others, because you aren't, period... apk