VPN services are becoming more and more popular, but like all software, they are not free from problems. In the case of the very popular NordVPN and ProtonVPN, we have recently been able to observe an interesting situation when the introduction of the patch has found other vulnerabilities of a similar nature. Fortunately, the vulnerabilities were protected against disclosure and there is no indication that they were used in real attacks.
Both programs had the same design flaw. Program interfaces run the code with the privileges of the logged in user, which also applies to launching VPN settings, such as selecting the target server. The address was passed to the service when the user clicks the “connect” button via the OpenVPN configuration file.
BEST VPN for windows – check the best VPN for Windows
It was possible to prepare the file so that after loading it the malicious code contained in it would be executed, provided the VPN client runs on the Windows machine. The calling method accepts the argument in such a way that it can give the attacker control of the OpenVPN command line. The attacker can then indicate a dynamic library that will be loaded each time a VPN connection is made, and its code run in the context of the SYSTEM user. In this way, an attacker can lead to the disclosure of transmitted information, modify the VPN or take control of the connection.
The vulnerability was discovered by VerSprite in April and described as CVE-2018-10169. Both VPN clients have been improved prior to its disclosure by using the same patch that additionally controls the contents of the OpenVPN configuration file. However, those working at Cisco Talos have discovered that code execution with administrator privileges is still possible. However, this is due to a different vulnerability, which bypasses the April amendment.
A vulnerability was found in the CVE-2018-3952 client NordVPN 220.127.116.11, which is used by over a million people in different countries. CVE-2018-4010 is present in ProtonVPN 1.5.1, a younger but enjoying a good reputation. From a technical point of view, the vulnerabilities resemble the known vulnerability discovered by VerSprite and, like it, allow code to be executed with higher privileges. Both flaws would probably not have been discovered had it not been for the April amendment.
NordVPN received an amendment in August. Its solution seems quite elegant – it uses the XML model to generate the OpenVPN configuration and saves it in a file that the user cannot modify. ProtonVPN solved the problem in early September, moving the configuration to the program folder, where the standard user does not have permission to modify files. So for the time being we have nothing to worry about. Of course, we recommend installing the latest NordVPN and ProtonVPN clients.
Vulnerabilities were probably not used for attacks. Performing them is quite difficult, because the attacker must first gain access to the system.