Multiple Vulnerabilities Found In PureVPN – One Remains Unpatched

Researchers spotted a couple of security vulnerabilities in PureVPN Desktop clients for Linux that impact users’ privacy. While PureVPN patched one flaw, another RCE vulnerability remains unpatched.

Numerous PureVPN Vulnerabilities Affected Linux Clients

Security researchers Rafay Baloch and Muhammad Samaak discovered two different vulnerabilities when analyzing PureVPN Linux clients. In his blog post, Baloch specified the two issues as an IP leak and a remote code execution (under certain conditions).

The IP leak issue was caused by the improper handling of DNS queries by the PureVPN Linux client. Consequently, the vulnerability allowed VPN tunnel bypass, exposing the DNS queries to the ISP or the default DNS servers leaking users’ original IP addresses.

The researchers could verify this vulnerability through a simple IP leak test via Ipleak.net. As demonstrated, the original IP address from Pakistan clearly appeared in the DNS leak test despite being connected to a PureVPN server with Indian IP.

Talking to LHN, Baloch deemed this vulnerability “as severe as an RCE” because it fails to serve the entire purpose of using a VPN.

The second vulnerability is a remote code execution that existed due to how the PureVPN Linux client works. An adversary could exploit this vulnerability for malicious purposes, such as stealing credentials, bypassing app whitelists, and triggering denial of service. Describing the exact issue, the post reads,

When the login button is activated, a system call called ‘opennat()’ is initiated. This system call aims to load the ‘libnssckbi.so’ shared library file from a location that allows user-writable access… However, it is essential to note that the specified path lacks the existence of the ‘libnssckbi.so’ file.
This presents a security vulnerability, potentially enabling malicious actors to execute arbitrary code by placing a file named ‘libnssckbi.so’ in the designated path.

The following video serves as a PoC for the PureVPN remote code execution flaw.

PureVPN Patched The IP Leak – But The RCE Awaits An Appropriate Fix

Upon discovering the flaws, the researchers reported the matter to PureVPN. In response, PureVPN fixed the IP leak issue but refused to address the RCE flaw.

Despite being a severe issue, exploiting the RCE flaw requires local access to the target system. Besides, analyzing the root cause of this code execution vulnerability made evident a broader issue affecting many other applications too. This vulnerability didn’t typically affect PureVPN; rather, it existed in Chromium’s Electron software framework that powers PureVPN, Google Chrome, Slack, and more, making all the apps similarly vulnerable.

That’s what PureVPN and Google Chrome highlighted in their responses to Baloch’s report. Consequently, while PureVPN put the onus of addressing the flaw on Google, the latter simply deemed the matter as out of the scope of its threat model.

However, Baloch noted that the vulnerability shouldn’t be taken lightly for a critical application like PureVPN.  Commenting on his interaction with PureVPN regarding the bug disclosure, Baloch told LHN,

The response was satisfactory; however, I expected a more aggressive response given that they are a security company, and user privacy is their primary concern. The RCE has been marked as “Won’t fix.” However, especially for a VPN service that users rely on for enhanced privacy and security, this should have been addressed.

Watch Out For VPN Issues

While security vulnerabilities are always risky, they are particularly dangerous for VPN users as they directly impact users’ online privacy. Therefore, whenever such reports surface online, users must pay attention to the matter and ponder over continuing their VPN use until bug fixes.

For example, in September, AtlasVPN made it to the news for a zero-day affecting its Linux clients. While the service pledged to deliver a fix, it took them a few days to release the patch. Until then, the users remained vulnerable to exploits unless they stopped using the service.

In the case of the recently discovered PureVPN vulnerabilities, the unpatched RCE flaw isn’t as dangerous since it typically requires local access from an attacker. Nonetheless, users who cannot surely prevent unwarranted local access to their devices must remain careful about PureVPN’s use until the matter gets fixed.

Let us know your thoughts in the comments.