Security Market Segment LS
Monday, 10 September 2018 10:11

Cisco team finds holes in NordVPN and ProtonVPN Windows clients

Cisco team finds holes in NordVPN and ProtonVPN Windows clients Pixabay

Cisco's Talos Intelligence Group says it has discovered similar vulnerabilities in the NordVPN and ProtonVPN clients for Windows, which allow an ordinary user to run commands as an administrator.

Talos researcher Paul Rascagneres said in a blog post that the vulnerabilities were similar to one found by security firm VerSprite in April. While both NordVPN and ProtonVPN, both widely used VPN clients, had issued fixes for the flaw found in April, Rascagneres said the Talos team had found a way to bypass the patch.

He said both clients had similar design: a user interface that was executed with the permission of the user who was logged in and the service which received orders from the UI.

"The purpose of this application (the UI) is to allow the user to select the VPN configuration, such as the protocol, the location of the VPN server, etc," Rascagneres wrote. "The information is sent to a service when the user clicks on 'connect' (it's, in fact, an OpenVPN configuration file)."

The binary for the service received the VPN configuration file from the UI and its purpose was to execute the OpenVPN VPN client binary with the user configuration file with administrator privileges.

But due to the new flaw found by Talos, it was possible to abuse the service and allow any standard user to run arbitrary commands through OpenVPN with administrator privileges, he pointed out.

The versions of the clients tested were ProtonVPN VPN Client 1.5.1 and NordVPN

Detailed vulnerability reports are here for NordVPN and at this link for ProtonVPN.

NordVPN press officer Laura Tyrell said in an unsolicited comment sent to iTWire that the vulnerability in the company's VPN application had been fixed by the time Cisco publicly disclosed the CVE.

"At the beginning of August, an automatic update was pushed to all our customers, which means the majority of users had their apps updated long before the public disclosure. These actions virtually eliminated most of the risk for the vulnerability to be exploited in real life conditions," she claimed.

"In order to exploit the flaw, an attacker had to have physical access to a victim's PC. Such a situation alone leads to a variety of severe security threats beyond [that posed by] any individual apps. In order to apply the best security practices, we are also running an independent application security audit."

Tyrell said the company had published its own advisory about the flaw.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments