A pair of vulnerabilities in the ProtonVPN and NordVPN VPN clients have been uncovered, which allow attackers to execute code as an administrator on targeted Microsoft Windows machines.
In both cases [CVE-2018-3952 (NordVPN) and CVE-2018-4010 (ProntonVPN)], the clients have the same design, according to Cisco Talos: Users select the VPN configuration, such as the protocol, the location of the VPN server and so on, which is sent to the service in the form of an OpenVPN configuration file when the user clicks on “connect.” A binary is then used to receive the configuration from the user interface, and it executes the OpenVPN client binary with the preferred user configuration file, with administrator privileges.
The vulnerabilities disclosed this month are related to a critical bug previously discovered by VerSprite in April 2018: CVE-2018-10169, which affected both services. It allowed an attacker with access to the target PC to use a specially crafted malicious OpenVPN configuration file, which the service would use to execute a user’s VPN connection instead of a legitimate file. Thus, it offered an adversary escalated privileges.
“The ‘Connect’ method accepts a class instance argument that provides attacker control of the OpenVPN command line,” VerSprite explained in an alert it issued at the time. “An attacker can specify a dynamic library plugin that should run for every new VPN connection. This plugin will execute code in the context of the system user.”
While both clients released patches in April, Cisco Talos found a way to bypass that patch, leading to the new vulnerability reports.
“Despite the fix, it is still possible to execute code as an administrator on the system,” Cisco Talos researchers explained in an advisory posted late last week, adding that the first patches implemented code to check “if the configuration file sent by the user contains a line starting by plugin, script-security, up or down. These are all the methods to execute code or commands through OpenVPN.”
However, by reading the OpenVPN source code of the configuration file parser, it’s possible to still insert script that’s valid for OpenVPN to bypass these checks of the VPN services, the researchers found.
“Talos used another method to exploit a part of previously patched vulnerability,” a NordVPN spokesperson told Threatpost. “It is also important to keep in mind that this vulnerability could only have been exploited if an attacker had obtained access to the victim’s PC. Such a situation alone leads to a variety of severe security threats beyond any individual apps.”
Both vendors have issued patches for the new CVEs: “For ProtonVPN, they put the OpenVPN configuration file in the installation directory, and a standard user cannot modify it. Thus, we cannot add the malicious string in it,” Cisco Talos explained. “For NordVPN, the editor decided to use an XML model to generate an OpenVPN configuration file. A standard user cannot edit the template.”
The vendors also weighed in with statements to Threatpost: “Later versions of ProtonVPN have resolved this issue and an update has been rolled out to all users,” ProtonVPN said via email. “It is important to note that an attacker needs to already have access to the target’s computer for this exploit to work, and it only impacts Windows users. The fix we have implemented should eliminate all bugs of this nature, and we continue to work with independent security researchers around the globe to make ProtonVPN more secure through our bug-bounty program.”
The NordVPN spokesperson noted: “The vulnerability had already been fixed by the time Cisco publicly disclosed the CVE. In the beginning of August an automatic update has been pushed to all of our customers as well, so none of them should be vulnerable at the moment.”
She added that NordVPN has hired a company to run an independent app audit as well, which should be completed within few months.
Tony Uceda Vélez, VerSprite’s founder and CEO, told Threatpost: “The VPN issues highlight the need for end users to stay abreast of patch releases from not only their OS vendors, but also their software vendors, who may have gotten an initial fix wrong the first time.”
This post was updated at 11:57 a.m. Sept. 11, 2018 to include a statement from ProtonVPN.