ProtonVPN, NordVPN Flaws Open Door to Privilege Escalation

A pair of vulnerabilities in the ProtonVPN and NordVPN VPN clients have been uncovered, which allow attackers to execute code as an administrator on targeted Microsoft Windows machines.

In both cases [CVE-2018-3952 (NordVPN) and CVE-2018-4010 (ProntonVPN)], the clients have the same design, according to Cisco Talos: Users select the VPN configuration, such as the protocol, the location of the VPN server and so on, which is sent to the service in the form of an OpenVPN configuration file when the user clicks on “connect.” A binary is then used to receive the configuration from the user interface, and it executes the OpenVPN client binary with the preferred user configuration file, with administrator privileges.

The vulnerabilities disclosed this month are related to a critical bug previously discovered by VerSprite in April 2018: , which affected both services. It allowed an attacker with access to the target PC to use a specially crafted malicious OpenVPN configuration file, which the service would use to execute a user’s VPN connection instead of a legitimate file. Thus, it offered an adversary escalated privileges.

“The ‘Connect’ method accepts a class instance argument that provides attacker control of the OpenVPN command line,” VerSprite explained in an alert it issued at the time. “An attacker can specify a dynamic library plugin that should run for every new VPN connection. This plugin will execute code in the context of the system user.”

While both clients released patches in April, Cisco Talos found a way to bypass that patch, leading to the new vulnerability reports.

“Despite the fix, it is still possible to execute code as an administrator on the system,” Cisco Talos researchers explained in an advisory posted late last week, adding that the first patches implemented code to check “if the configuration file sent by the user contains a line starting by plugin, script-security, up or down. These are all the methods to execute code or commands through OpenVPN.”

However, by reading the OpenVPN source code of the configuration file parser here, it’s possible to still insert script that’s valid for OpenVPN to bypass these checks of the VPN services.

“Talos used another method to exploit a part of previously patched vulnerability,” a NordVPN spokesperson told Threatpost. “It is also important to keep in mind that this vulnerability could only have been exploited if an attacker had obtained access to the victim’s PC. Such a situation alone leads to a variety of severe security threats beyond any individual apps.”

Both vendors have issued patches for the new CVEs: “For ProtonVPN, they put the OpenVPN configuration file in the installation directory, and a standard user cannot modify it. Thus, we cannot add the malicious string in it,” Cisco Talos explained. For NordVPN, the editor decided to use an XML model to generate an OpenVPN configuration file. A standard user cannot edit the template.”

“The vulnerability had already been fixed by the time Cisco publicly disclosed the CVE,” the NordVPN spokesperson noted. “In the beginning of August an automatic update has been pushed to all of our customers as well, so none of them should be vulnerable at the moment.”

She added that NordVPN has hired a company to run an independent app audit as well, which should be completed within few months.

Tony Uceda Vélez, VerSprite’s founder and CEO, told Threatpost: “The VPN issues highlight the need for end users to stay abreast of patch releases from not only their OS vendors, but also their software vendors, who may have gotten an initial fix wrong the first time.”