Popular VPNs contained code execution security flaws, despite patches (Sep 10, 2018)
Popular Virtual Private Network (VPN) software applications, ProtonVPN and NordVPN were discovered to have vulnerabilities that could allow threat actors to execute arbitrary code. Security researchers from Cisco Talos found two vulnerabilities, registered as “CVE-2018-3952” and “CVE-2018-4010” that allow for code execution on Microsoft Windows machines. Despite security patches being released in April 2018 and implemented for these two applications, it is still possible circumvent that the fix and execute code as an administrator on the system. The vulnerabilities in these two applications allow logged-in users to execute binaries that include the VPN configuration option that can set a specific VPN server location. That information is sent through an OpenVPN file which a threat actor could input their own command line in. The OpenVPN file could allow a dynamic library plugin to run for every new VPN connection which would then execute code in the context of a SYSTEM user. A compromised and malicious OpenVPN file can lead to tampering with the VPN service, information disclosure, and hijacking through arbitrary commands. CVE-2018-3952 affects NordVPN and CVE-2018-4010 affects ProtonVPN, and both vulnerabilities can allow for privilege escalation and arbitrary command execution.
Recommendation: The security update should be applied as soon as possible because of the high criticality rating of this vulnerability and the potential for an actor to take control of an affected system. Additionally, your company should have policies in place to review and apply security updates for software in use to protect against known vulnerabilities that threat actors may exploit.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.