Cisco’s Talos security lab has found vulnerabilities in the client software of two virtual private network (VPN) services that could let attackers seize control of your Windows computer.
Both companies have now patched their software, but you may have to run manual updates to get the fixes. If you are using either of these VPN services, update the client software as soon as possible.
According to Cisco Talos, which made the flaws public on Friday (Sept. 7), the two “vulnerabilities allow attackers to execute code as an administrator on Microsoft Windows operating systems from a standard user.”
In other words, malware that infected a limited user’s Windows account on which the NordVPN or ProtonVPN client software was running could leverage the flaw to seize full control of the machine. Needless to say, that’s not supposed to happen.
The vulnerabilities are the result of half-hearted patches for a similar bug found earlier this year by VerSprite, a small Atlanta-based firm.
Back in April 2018, VerSprite found that it could edit OpenVPN configuration files in NordVPN and ProtonVPN client software.
OpenVPN is an open-source VPN protocol used by many commercial VPN services. The services use small batches of code called configuration files to get the OpenVPN software to connect to their VPN servers.
But unfortunately, while VPN client software runs as a limited user lacking the privileges to make changes to the system or to other applications, OpenVPN needs to have administrator privileges to work.
NordVPN and ProtonVPN made the mistake of letting their OpenVPN configuration files be accessible from and alterable by limited users. Because of that, malware or an attacker with limited privileges could nevertheless seize control of the machine.
It’s not clear whether any other VPN service providers might be affected by these privilege-escalation flaws, or if NordVPN and ProtonVPN’s Mac and Linux client applications might be affected as well.
Following VerSprite’s discovery in April, ProtonVPN and NordVPN released identical patches to their client software that, in theory, sealed the opening by forbidding four snippets of dangerous text from appearing in their OpenVPN configurations.
But Cisco Talos researcher Paul Rascagneres found that attackers could bypass those patches by simply putting quotation marks around the forbidden words.
Rascagneres reported the problem to NordVPN and ProtonVPN in July, and the companies recently released new patches that fix the holes.
NordVPN now generates OpenVPN configuration files on-the-fly from a fixed template, and ProtonVPN moved to its configuration file to a folder that limited users cannot reach.