Heads up, Atlas VPN users! A serious zero-day flaw affects the Atlas VPN Linux client, risking the systems. While the bug has been reported, the VPN providers haven’t patched the flaw yet, assuring the fix in an upcoming release. Until the patch arrives, VPN users, particularly Linux users, should avoid using the software to remain safe.
Atlas VPN Zero-Day Awaits A Patch
An anonymous user recently caused a stir on the internet by abruptly dropping an Atlas VPN zero-day on Reddit. The user with the alias “Educational-Map-8145” (account now suspended) posted the PoC exploit on Reddit after getting disappointed with the service’s support response.
As explained in the post, the Atlas VPN Linux client includes two components: atlasvpnd – a daemon managing the connections, and atlasvpn – the client. The poster found that the VPN client used no secure methods to connect. Instead, it “opens an API on local host on port 8076,” which lacked authentication. That’s where the problem existed since anyone could access the open API endpoint without authentication and abruptly disconnect active VPN connections.
This port can be accessed by ANY program running on the computer, including the browser. A malicious javascript on ANY website can therefore craft a request to that port and disconnect the VPN. If it then runs another request, this leaks the users home IP address to ANY website using the exploit code.
The post also includes the exploit code, which, while not intended for malicious use, risked Atlas VPN users.
Following this post, Amazon cybersecurity engineer Chris Partridge also presented the exploit in the following video. He also demonstrated that the PoC bypassed existing Cross-Origin Resource Sharing (CORS) on web browsers as the requests impersonate form submissions (exempted from CORS) to reach the Atlas VPN API.
While the poster didn’t anticipate a response to his post (as reflected by his words), Atlas VPN’s IT Department Head replied right there. According to the official’s comment, the VPN provider pledged to fix the issue, releasing an update for the Atlas VPN Linux client with the patch. Moreover, the official also apologized for the poor support response the poster had to face, ensuring to improvise this process, too.
While Atlas VPN has pledged the fix, the existing Linux clients are vulnerable. Thus, Atlas VPN customers should avoid using it on their Linux devices until the patch arrives.
Let us know your thoughts in the comments.