NordVPN And ProtonVPN Patched Their Vulnerabilities Before They Became Known

VPN services direct internet traffic through an encrypted tunnel, which should help preserve users' privacy and security online. However, two of the most popular VPNs were exposing users to serious security flaws.

According to a post from Cisco Talos security researchers, both NordVPN and ProtonVPN suffered from vulnerabilities in their desktop clients. The flaws known as CVE-2018-3952 and CVE-2018-4010, opened the door to so-called privilege escalation attack.

This could allow attackers to run any code they wanted as a regular user with administrator privileges.

The vulnerabilities were similar to a Windows privilege escalation security flaw earlier discovered by VerSprite, which is tracked as CVE-2018-10169.

Following the security patch for CVE-2018-10169 which was released in April, security researchers from Talos started looking for similar exploits.

They found that it was still possible to force the NordVPN and ProtonVPN clients to run arbitrary code, because both VPNs use a similar interface design: sending information about users desired connections back to the VPN using an OpenVPN configuration file.

Security patches to control mechanism for the content of the OpenVPN configuration file were then applied in April by both VPN services to resolve the original CVE-2018-10169 security hole, but Talos discovered a coding mistake in the patch, saying that: "Despite the fix, it [was] still possible to execute code as an administrator on the system."

The coding mistake permits attackers to circumvent the fix.

What this means, it was still possible for attackers to execute arbitrary code through a different means of exploit, after the user clicked 'Connect', as Cisco Talos security researchers explained:

"The 'Connect' method accepts a class instance argument that provides attacker control of the OpenVPN command line. An attacker can specify a dynamic library plugin that should run for every new VPN connection. This plugin will execute code in the context of the SYSTEM user."
How VPN works
VPN services direct internet traffic through an encrypted tunnel, which should help preserve users' privacy and security online

For both exploits, the attacker must first have access to the victim’s PC, prior to exploiting the VPN services.

After Talos alerted both VPN providers, NordVPN implemented an XML model to generate OpenVPN configuration files, so non-administrator users cannot edit the XML template. This should make it impossible for hackers to create fake OpenVPN files as was previously possible.

"We have a diligent team of dedicated software engineers and cybersecurity experts working on our system to keep it as secure and functional as possible," said NordVPN's Daniel Markuson wrote in a company blog. "With that being said, everyone makes mistakes. That’s why the work of institutions like Talos Intelligence is so important. By discovering vulnerabilities and reporting them to companies before they’re published, they help make the internet a more secure place for everyone – without endangering users in the process."

ProtonVPN on the other hand, took a little longer and created a fix by moving the OpenVPN configuration files into its installation directory where non-administrator users can't modify them. "Later versions of ProtonVPN have resolved this issue and users have been automatically prompted to update," said a ProtonVPN spokesperson.

Both VPN services said that there was no evidence of the vulnerabilities being exploited in the wild.

But still, it's better safe than sorry. Users should update their NordVPN and ProtonVPN to the newer builds as quickly as possible to avoid compromise through the bugs.