Popular VPNs contained code execution security flaws, despite patches

Updated: Patches applied to a vulnerability in ProtonVPN and NordVPN builds led to the discovery of separate bugs which had to be resolved quickly in recent updates.
Written by Charlie Osborne, Contributing Writer

Researchers have uncovered vulnerabilities in popular virtual private network (VPN) software, ProtonVPN and NordVPN, which can lead to the execution of arbitrary code by attackers.

Last week, Cisco Talos security researchers said the security flaws, CVE-2018-3952 and CVE-2018-4010, permit code execution by attackers on Microsoft Windows machines.

The vulnerabilities are similar to a Windows privilege escalation security flaw uncovered by VerSprite, which is tracked as CVE-2018-10169.

Security patches were applied in April by both clients to resolve the original security hole, but according to Talos, "despite the fix, it [was] still possible to execute code as an administrator on the system" through a different means of exploit.

The initial vulnerability was caused by similar design issues in both clients. The interface for both NordVPN and ProtonVPN execute binaries with the permission of a logged-in user, and this includes the selection of a VPN configuration option, such as a desired VPN server location.

This information is sent to a service when "connect" is clicked by way of an OpenVPN configuration file. However, VerSprite was able to create a crafted OpenVPN file which could be sent to the service, loaded, and executed.

CNET: The Best VPN services for 2018

"The "Connect" method accepts a class instance argument that provides attacker control of the OpenVPN command line," the vulnerability description reads. "An attacker can specify a dynamic library plugin that should run for every new VPN connection. This plugin will execute code in the context of the SYSTEM user."

The malicious content of the OpenVPN file can then lead to tampering with the VPN service, information disclosure, and hijacking through arbitrary commands.

See also: Peeled onions and a Minus Touch: Verizon data breach digest lifts the lid on theft tactics

Both VPN software providers implemented the same patch, a control mechanism for the content of the OpenVPN configuration file.

However, Cisco Talos says that the code implemented contained a small coding flaw which permits attackers to circumvent the fix.

During testing of ProtonVPN VPN version 1.5.1 and NordVPN version, the security researchers found that the original patches for both VPN clients could be bypassed.

The first bug, CVE-2018-3952, impacts NordVPN, a VPN service which caters for over one million users worldwide. The second security flaw, CVE-2018-4010, relates to ProtonVPN, a relatively new VPN client which began as a crowdfunding project.

Both vulnerabilities can lead to privilege escalation and arbitrary command execution.

TechRepublic: How to balance security and user needs when choosing a VPN service provider

NordVPN developed a patch to resolve the problem in August, while ProtonVPN took a little longer and created a fix earlier this month.

In the former case, the company used an XML model to generate OpenVPN configuration files which cannot be edited by users, and in the latter, OpenVPN config files were relocated to the installation directory, where standard users cannot modify it.

Users should update their NordVPN and ProtonVPN builds as quickly as possible to avoid compromise through the bugs.

Update 10.31 BST: A ProtonVPN spokesperson told ZDNet:

"Later versions of ProtonVPN have resolved this issue and users have been automatically prompted to update. We have not seen any evidence of this being exploited in the wild, as a user's computer needs to first be compromised by a hacker before this bug can be exploited.

The fix we have implemented should eliminate all bugs of this nature. We continue to work with independent security researchers around the globe to make ProtonVPN more secure through our bug bounty program."

Update 15.04 BST:

NordVPN CMO Marty Kamden told ZDNet:

"The vulnerability had already been fixed by the time Cisco publicly disclosed the CVE. The update has already been pushed to all of our customers as well, and none of them are vulnerable at the moment.

It is also important to keep in mind that this vulnerability could only have been exploited if an attacker had obtained access to the victim's PC. Such a situation alone leads to a variety of severe security threats beyond any individual apps."

5 things you should know about VPNs

Previous and related coverage

Editorial standards