‘SaferVPN’ Found to Be Vulnerable to Local Privilege Escalation

guest · Jan 16, 2021

‘SaferVPN’ Found to Be Vulnerable to Local Privilege Escalation
‘SaferVPN’ is vulnerable to a nasty flaw that it failed to address even after three months
January 13, 2021
https://www.technadu.com/safervpn-vulnerable-local-privilege-escalation/240441/

Security researcher “nmht3t” has discovered a local privilege escalation flaw affecting the ‘SaferVPN’ product – and more specifically, its Windows client. The vulnerable versions are anything from 5.0.3.3 to the most recent one, which is 5.0.4.15. This means that the flaw, given the “CVE-2020-26050” identifier, is still unfixed, and the VPN vendor hasn’t provided a fixing patch yet. And as denoted by the identifier, the researcher reported this bug 90 days ago, so we have now reached the disclosure deadline.

The researcher has provided the proof of concept example through video and also details how to reproduce it on the relevant write-up, so anyone can now hit ‘SaferVPN.’ According to the researcher, SaferVPN spawns an OpenVPN executable in the context of NT AUTHORITY\SYSTEM every time it attempts to connect to a VPN server.
Click to expand...

According to the researcher, SaferVPN’s team never responded to his warnings and messages, which does not indicate an actively supported and generally “alive” project. This is very unfortunate, as SaferVPN has had a good reputation in general.
Click to expand...

[CVE-2020–26050] SaferVPN for Windows Local Privilege Escalation

Because a low-privileged user is allowed to create folders under C:\, it’s possible for the user to create the appropriate path and place the crafted openssl.cnf file in it. Once the openvpn.exe service starts, the openssl.cnf file will load a malicious OpenSSL engine library resulting in arbitrary code execution as SYSTEM.
Click to expand...

Timeline
07–10–2020 — Sent the details of the vulnerability
10–11–2020 —Followed up and no response from the vendor
15–12–2020 — Informed the vendor of the fact that the 90-day disclosure deadline was approaching
7.1.2021 — CVE Assigned CVE-2020–26050
12.1.2021 — Public disclosure
Click to expand...

Log in or Sign up

‘SaferVPN’ Found to Be Vulnerable to Local Privilege Escalation

guest Guest

Log in or Sign up

‘SaferVPN’ Found to Be Vulnerable to Local Privilege Escalation

guest Guest

Useful Searches