Cisco Patched Privilege Escalation Bugs In Two VPN Clients

A researcher from Cisco Talos has discovered security vulnerabilities in two popular VPN clients, NordVPN and ProtonVPN. Both the VPNs use the OpenVPN source software to develop secure tunnels between two points. Since the flaws targeted the OpenVPN configuration file, both the VPN clients became vulnerable to cyber attacks. However, Cisco has now patched the privilege escalation bugs discovered in both the VPNs.

Privilege Escalation Bugs Found In NordVPN And ProtonVPN

Security researcher Paul Rascagneres from Cisco Talos published a vulnerability report highlighting vulnerabilities in popular VPN clients. Reportedly, he discovered two privilege escalation bugs in the NordVPN and ProtonVPN running on Windows system. Both the flaws shared a similar nature allowing an attacker to run arbitrary codes.

As explained, since both these VPNs use OpenVPN source that requires administrator access, any malicious code running in the OpenVPN configuration file could acquire admin privileges. It means an attacker achieving admin access to a system could easily manipulate the configuration file by inserting malicious codes with the specific code execution parameters and therefore could execute arbitrary commands.

Rascagneres then elaborated further that the vulnerability existed due to how an OpenVPN configuration file sent by the user is handled by the service. This vulnerability was first discovered in April 2018, by Fabius Watson from the VerSprite cybersecurity firm. He created an OpenVPN configuration file which was sent to the service and executed. Thus he highlighted that any potential attacker with administrator access could easily alter this file with arbitrary codes.

At that time, both NordVPN and ProtonVPN released patches by employing checks on the presence of the parameters “plugin” and “script-security” at the beginning of a line.

However, Rascagneres discovered that anyone could bypass this patch by simply enclosing the parameters within quotation marks. He also presented POCs for the bugs in both the ProtonVPN and NordVPN VPN clients.

Both VPNs Released Patches For Bugs

As explained by the Cisco researcher, the parameters “plugin”, “script-security”, and even the “up” and “down” could easily bypass the previous patch when enclosed within quotation marks. Hence, they presented another patch which appears more fruitful in eliminating these privilege escalation bugs. As stated in his report about the fix,

“The new patches developed by the editors are different. For ProtonVPN, they put the OpenVPN configuration file in the installation directory, and a standard user cannot modify it. Thus, we cannot add the malicious string in it. For NordVPN, the editor decided to use an XML model to generate an OpenVPN configuration file. A standard user cannot edit the template.”

The researcher discovered these vulnerabilities in the versions NordVPN 6.14.28.0 and ProtonVPN VPN Client 1.5.1. Since both of them have released the patches, users can simply protect themselves from these flaws by updating their software to the latest versions. While NordVPN would automatically update the versions for its users, ProtonVPN customers need to update their application manually.

Let us know your thoughts in the comments section.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients