Welcome to WebmasterWorld Guest from 54.242.115.55

Forum Moderators: open

VPNs With Code Execution Security Flaws Patched, Update Now

     
11:49 am on Sep 11, 2018 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 9, 2000
posts:25900
votes: 871


Security vulnerabilities in some popular VPNs could lead to code execution by bad actors. There was a patch released quite quickly, but, according to researchers, there was still a security vulnerability.

Patches have again been released, and users should update, if they have not already done so.

The malicious content of the OpenVPN file can then lead to tampering with the VPN service, information disclosure, and hijacking through arbitrary commands.

During testing of ProtonVPN VPN version 1.5.1 and NordVPN version 6.14.28.0, the security researchers found that the original patches for both VPN clients could be bypassed.

[zdnet.com...]
7:21 am on Sept 12, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 891


For my needs, I've always used a web based VPN which doesn't seem to vulnerable to this exploit, unless of course the host is using the software mentioned in the article.
11:42 am on Sept 12, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator martinibuster is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 13, 2002
posts:14886
votes: 484


Just clarifying. According to the article, this vulnerability is exclusive to ProtonVPN and NordVPN.

The vulnerability isn't tied to OpenVPN itself. But rather, it exploits a vulnerability in ProtonVPN and NordVPN in order to execute code as an administrator via an "OpenVPN configuration file."

If this had affected OpenVPN itself, that would have been a real mess. :o