Aviatrix VPN flaw allowed hackers to access to victim's system

News by Rene Millman

Security researchers have disclosed a flaw in the Aviatrix VPN client that give a hacker unlimited access to a victim's system - now patched.

Security researchers have disclosed a flaw in the Aviatrix VPN client that give a hacker unlimited access to a victim’s system.
According to a blog post by researchers at Immersive Labs, the flaw was uncovered by researcher and content engineer Alex Seymour. The vulnerability would have allowed an attacker who already had access to a machine to escalate privileges and achieve anything they wanted; for example, gaining access to files, folders and network services that the user would not previously have been able to access.
Seymour started research into the Aviatrix VPN client began after noting the verbose output when starting the client on a Linux machine. The problem exists in the Linux, macOS and FreeBSD versions of the Aviatrix client which use the OpenVPN command’s -up and -down flags to execute shell scripts when a VPN connection is established and terminated.
Because of the weak file permissions set on the installation directory on Linux and FreeBSD, it is possible for a hacker to modify these scripts. As the backend service executes the openvpn command, this results in the script being executed with elevated privileges.
The disclosure comes after the National Security Agency (NSA) and National Security Council (NSC) warned of state-sponsored attackers targeting vulnerabilities in VPNs.
"Coming hot on the heels of the UK and US Government warnings about VPN vulnerabilities, this underlines that often the technology protecting enterprises needs to be managed as tightly as the people using it," said Seymour.
"People tend to think of their VPN as one of the more secure elements of their security posture, so it should be a bit of a wakeup call for the industry."
Aviatrix has now fixed the issue, releasing a patch, v2.4.10 on November 4.
"Users should install the new patch as soon as possible to ensure there is no exploitation in the wild," said Seymour.
Javvad Malik, security awareness advocate at KnowBe4 told SC Media UK that this particular vulnerability can be exploited only once the attacker already had access to the machine, so from a risk perspective there are bigger things to worry about, such as securing the initial access vector to the machine itself. 
"For companies, it is a case of assessing the actual risk and prioritising the patches or other remedial measure as deemed appropriate," he said. "It does show a recent trend in which we have seen several attacks against VPN's - likely as they grow in popularity. So companies should carefully consider how they deploy VPNs and secure them to ensure that they don't become a point of entry for attackers instead of a security tool."
Pascal Geenens, Radware EMEA security evangelist, told SC Media UK that enterprises are moving away from client VPN based solutions in favour of zero trust security provided through cloud applications.
"At some point, all enterprise applications will (or should) be provided through the cloud at which point there is no reason to keep a solid, encrypted tunnel to the main enterprise hub. Identity and Access Management will be provided through the cloud applications, a model we like to refer to as Zero Trust - as in ‘we only trust in who you say you are but not the state your device is in’. I’m aware we still have a ways to go before all will be zero trust, but I believe this is the right way forward for securing the (remote) access to company data," he said.
News of the flaw comes as another security researcher published details for a vulnerability that exists on most Linux distros, and other  *nix operating systems which allows a network adjacent attacker to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website.
According to an advisory on Seclists, William J. Tolley, Beau Kujath, and Jedidiah R. Crandall, Breakpointing Bad researchers at University of New Mexico said they were able to determine the exact seq and ack numbers by counting encrypted packets and/or examining their size. 
"This allows us to inject data into the TCP stream and hijack connections," the report said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews