Security Holes Discovered in 2 Popular VPN Services

Security Holes Discovered in 2 Popular VPN Services

VPN services work by passing traffic through an encrypted tunnel, which providers say can help preserve your privacy and security online. However, two of the most popular VPNs were, at least for a time, exposing users to a serious security flaw could let attackers run arbitrary code on an affected computer.

According to a post from Cisco Talos security researchers, both NordVPN and ProtonVPN suffered from vulnerabilities in the way their desktop clients accessed VPN services. The bugs, known as CVE-2018-3952 and CVE-2018-4010, opened the door to so-called privilege escalation attack. The attacker could, in theory, run any code they wanted as a regular user with administrator privileges.

The vulnerabilities might never have been discovered if not for a separate exploit that both providers patched several months ago. Following the CVE-2018-10169 in April, security researchers from Talos started looking for similar exploits. They found it was still possible to force the NordVPN and ProtonVPN clients to run arbitrary code via the newly detailed methods.

According to Talos, the Windows clients for both VPN services execute OpenVPN binaries per the permission of a logged-in user. For example, you could use the NordVPN or ProtonVPN client to activate a VPN connection with a server in a particular location. The client executed the necessary binary on your system to make the connection. The original CVE-2018-10169 allowed attackers to substitute a malicious OpenVPN file that could hijack a connection.

Both services deployed a fix for CVE-2018-10169 in April, but Talos discovered a coding mistake in the patch. As a result, it was still possible to run arbitrary code when the user clicked “connect.” For both exploits, the attacker needed to have access to the victim’s PC prior to exploiting the VPN services. Talos alerted both VPN providers earlier this year and withheld disclosure until new patches were pushed out to users.

A Talos demo using the bug to launch Notepad when the VPN connects.
A Talos demo using the bug to launch Notepad when the VPN connects.

ProtonVPN solved the problem by moving the OpenVPN configuration files into the installation directory where non-administrator users can’t modify them. NordVPN implemented an XML model to generate OpenVPN configuration files, and non-administrator users cannot edit the XML template.

If you use either of these VPN services, make sure you update your client to the latest build. Both NordVPN and ProtonVPN are keen to point out there is no evidence of the vulnerabilities being exploited in the wild. Still, better safe than sorry.

Continue reading

The Best Smart Home Security Systems
The Best Smart Home Security Systems

Once a niche business with a few traditional players and some startups, home security systems are now a major battleground for not just security companies, but several internet giants. We round up highlights of the most popular options for 2020.

Microsoft: Pluton Chip Will Bring Xbox-Like Security to Windows PCs
Microsoft: Pluton Chip Will Bring Xbox-Like Security to Windows PCs

Intel, AMD, and Qualcomm are working to make Pluton part of their upcoming designs, which should make PCs more difficult to hack, but it also bakes Microsoft technology into your hardware.

Security Researcher: ‘solarwinds123’ Password Left Firm Vulnerable in 2019
Security Researcher: ‘solarwinds123’ Password Left Firm Vulnerable in 2019

SolarWinds, the company at the center of the massive hack that hit US government agencies and corporations, doesn't exactly use cutting-edge password techniques.

A File Sharing App With 1 Billion Downloads Has a Major Security Flaw
A File Sharing App With 1 Billion Downloads Has a Major Security Flaw

Trend Micro says SHAREit is a security nightmare that could allow intruders to sneak a peek at your data or even install malware. Perhaps most troublingly, the developers have not responded to Trend Micro's warnings.