This standard VPN has been hit by a significant safety vulnerability
A safety researcher has found a brand new vulnerability within the VPN service SaferVPN that would enable for native privilege escalation on Home windows methods.
The native privilege escalation vulnerability was found by a researcher often known as nmht3t who beforehand disclosed the truth that SaferVPN silently mounted a DoS vulnerability in its VPN consumer final September. In a brand new weblog publish on Medium, mmht3t revealed why he selected to publicly disclose his newest discovery, saying:
“SaferVPN doesn’t repair this vulnerability even after a 90-day disclosure deadline. Due to this fact, there isn’t any patch accessible in the meanwhile for this product. With a view to inform the customers of the vulnerability, I made a decision to publicly disclose the vulnerability.”
Safety researchers typically give firms a 90-day deadline to repair any vulnerabilities earlier than they disclose them publicly. As SaferVPN didn’t patch this newest vulnerability in a well timed method, mmht3t felt it was in the most effective curiosity of the corporate’s customers to warn them about it.
Native privilege escalation flaw
Based on mmht3t’s vulnerability abstract, when SaferVPN makes an attempt to hook up with a VPN server it spawns the OpenVPN executable within the context of NT AUTHORITYSYSTEM. The service’s VPN consumer then tries to load an openssl.cnf configuration file from a non-existing folder (C:etcsslopenssl.cnf).
Nevertheless, as a low-privileged customers is ready to create folders beneath C: on Home windows, it is doable for them to create the suitable path and place a crafted openssl.cnf file in it. As soon as OpenVPN begins in SaferVPN, this file can load a malicious OpenSSL engine library which ends up in arbitrary code execution as SYSTEM.
SaferVPN variations 126.96.36.199 to five.04.15 are weak to this native privilege escalation flaw tracked as CVE-2020–26050.
Mmht3t first found this vulnerability earlier this yr they usually despatched the small print of the vulnerability to SaferVPN in July. After a observe up with no response from the corporate and informing them that the 90-day disclosure deadline was approaching, mmht3t determined to make their findings public in January.