Popular VPNs Contained Code Execution Security Flaws, Despite Patches

Researchers have uncovered vulnerabilities in popular virtual private network (VPN) software, ProtonVPN and NordVPN, which can lead to the execution of arbitrary code by attackers. From a report: Last week, Cisco Talos security researchers said the security flaws, CVE-2018-3952 and CVE-2018-4010, permit code execution by attackers on Microsoft Windows machines. The vulnerabilities are similar to a Windows privilege escalation security flaw uncovered by VerSprite, which is tracked as CVE-2018-10169. Security patches were applied in April by both clients to resolve the original security hole, but according to Talos, "despite the fix, it is still possible to execute code as an administrator on the system." The initial vulnerability was caused by similar design issues in both clients. The interface for both NordVPN and ProtonVPN execute binaries with the permission of a logged-in user, and this includes the selection of a VPN configuration option, such as a desired VPN server location. This information is sent to a service when "connect" is clicked by way of an OpenVPN configuration file. However, VerSprite was able to create a crafted OpenVPN file which could be sent to the service, loaded, and executed.

Why does this keep happening?

[goombah99]

Intuitively, why can't we come up with some simple conduits that are sufficiently simple and vetted that we can be reasonably sure that ill conditioned inputs can't escape the sandbox. Then and only then build the convenience features on top of this?

Perhaps today's XKCD explains this very problem quite well. Firewalls prevent easy communications between component services.

true. But for a VPN there are a just a few enumerable things it actually needs to do correctly. It doesn't actually need admin priveledges to carry the message just admin priveledges to set up the network tunnels. So how is it possible one can't write a system where the message can execute as root?

I suspects is' because people see some speed shortcut similar ot Active-X or ssh -Y xwindows that values shorcuts.

Re:Why does this keep happening?

[b0bby]

Agreed; why don't they at least just say "use the OpenVPN client"?

Of course the most likely answer is "because they want to make it harder to switch VPN providers".

It's on WIndows

[hcs_$reboot]

For a change, TFS tells which OS is targeted by these attacks. Thanks!