Vulnerabilities in the VPNs NordVPN and ProtonVPN have been identified that allow execution of arbitrary code with system level privileges, highlighting the risk that can be introduced if VPN software is not kept fully patched and up to date.

VPNs May Not be As Secure as You Think

One common method used to securely access the Internet on public WiFi networks is to connect through a VPN. A VPN helps to prevent man-in-the-middle attacks and the interception of data by creating a secure tunnel through which data flows. Using VPN software means a user’s data is encrypted preventing information from being accessed by malicious actors.

While the connection is secured using a VPN, that does not always mean that a user is well protected. VPNs may not be quite as secure as users believe. Like any software, there can be vulnerabilities in VPNs that can be exploited. If the latest version of VPN software is not used, data may be vulnerable.

High Severity Vulnerabilities Identified in Popular VPNs

Recently, two of the most popular VPN clients have been found to contain a privilege escalation bug that could be exploited to allow an attacker to execute arbitrary code with elevated privileges.

The bug is present in NordVPN and ProtonVPN clients, both of which use the open-source OpenVPN software to create a tunnel through which information passes. In April, a flaw was identified which allowed an attacker with low level privileges to run arbitrary code and elevate their privileges to system level. Further, the flaw was not difficult to exploit.

A change could easily be made to the OpenVPN configuration file, adding parameters such as “plugin”, “script-security”, “up”, and “down”. Files specified within those parameters would be executed with elevated privileges. The flaw was identified by security researcher Fabius Watson of VerSprite Security, and prompt action was taken to patch the flaw.

However, while patches were issued by NordVPN and ProtonVPN that prevented the “plugin”, “script-security”, “up”, and “down” parameters from being added to the configuration file by standard users, the flaw had only been partially corrected.

Researchers at Cisco Talos discovered the same parameters could still be added to the configuration file if they were added in quotation marks. Doing that would bypass the mitigations of the patches. These vulnerabilities have been tracked under separate CVE codes – CVE-2018-3952 for ProtonVPN and CVE-2018-4010 for NordVPN. Both flaws are considered high-severity and have been assigned a CVSS v3 base score of 8.8 out of 10.

NordVPN and ProtonVPN have now released an updated patch which prevents the addition of these parameters using quotation marks, thus preventing threat actors from exploiting the vulnerability. Both vendors have tackled the problem in different ways, with ProtonVPN opting to put the configuration file in the installation directory to prevent standard users from making any changes, while NordVPN used an XML model to generate the configuration file. Standard users are not able to modify the template.

Securing Connections on Public WiFi Access Points

VPNs are an excellent way of improving security when connecting to public WiFi networks, but policies and procedures should be implemented to ensure that patches are applied promptly. It is not always possible to configure VPN clients to automatically update to the latest version. If vulnerabilities in VPNs are not addressed, they can be a major security weak point.

An additional protection that can be implemented to protect remote workers when connecting to WiFi networks is a web filtering solution such a WebTitan. WebTitan allows businesses to carefully control the web content that can be accessed by employees no matter where they connect – through wired networks, business WiFi networks, and when connecting to the Internet through public WiFi networks.

By controlling the types of sites that can be accessed, and using blacklists of known malicious sites, the potential for malware downloads can be greatly reduced.

If you want to improve WiFi security or implement web filtering controls for remote workers, contact the TitanHQ team today to find out more about WebTitan and the difference it can make to your security posture.