The vulnerabilities allow attackers to execute code as an administrator on Microsoft Windows operating systems from a standard user. The vulnerabilities were tracked to the CVE IDs TALOS-2018-0622 / CVE-2018-3952 (NordVPN) and TALOS-2018-0679 / CVE-2018-4010 (ProntonVPN).
The vulnerabilities are similar to a bug previously discovered by VerSprite in April 2018: CVE-2018-10169.
That same month, both clients released similar patches to fix this flaw.
However, we identified a way to bypass that patch.
Despite the fix, it is still possible to execute code as an administrator on the system.
More details can be found in the vulnerability reports:
- NordVPN report: TALOS-2018-0622 / CVE-2018-3952
- ProtonVPN report: TALOS-2018-0679 / CVE-2018-4010
TESTED VERSIONS:
- ProtonVPN VPN Client 1.5.1
- NordVPN 6.14.28.0
COVERAGE
The following Snort rules will detect exploitation attempts. Additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Console or Snort.org.
Snort Rules: 47035 – 47036
Enjoy the report here.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.