Two OpenVPN-based virtual private network clients have reportedly updated their software after a researcher discovered that a previous attempt to patch an arbitrary code execution vulnerability was not entirely effective.
According to Cisco Systems’ Talos division, the bugs in Switzerland-based ProtonVPN (CVE-2018-4010) and Panama-based NordVPN (CVE-2018- 3952) can allow attackers in Windows environments to use a specially crafted configuration file to elevate privileges to administrator, and then execute code. Officially described as the "improper neutralisation of special elements used in an operating system command," the bugs were both assigned a high CVSS score of 8.8.
The original bug found in both products (CVE-2018-10169) was discovered last April in a "connect" functionality that prompts the VPNs’ "service" component to receive orders to execute the OpenVPN configuration from the user interface. "To trigger this vulnerability, the attacker must add a parameter such as ‘plugin’ or ‘script-security’ in the OpenVPN configuration file," Talos explains in security advisories for both VPNs [1, 2]. "In this context, the plugin or the script will be executed by OpenVPN, which is executed by the service running as system."
Although NordVPN and ProtonVPN both published patches to check for such exploits, Talos senior software engineer Paul Rascagneres later discovered while examining the OpenVPN source code of the configuration file parser that the fixes could be bypassed, Cisco explains in a blog post further describing the issue. However, the latest round of patches apparently have eliminated this bypass technique.
In a brief statement, a NordVPN spokesperson said that the company patched the vulnerability "more than a month ago."