The vulnerabilities allow attackers to execute code as an administrator on Microsoft Windows operating systems from a standard user. The vulnerabilities were tracked to the CVE IDs TALOS-2018-0622 / CVE-2018-3952 (NordVPN) and TALOS-2018-0679 / CVE-2018-4010 (ProntonVPN).
The vulnerabilities are similar to a bug previously discovered by VerSprite in April 2018: CVE-2018-10169.
That same month, both clients released similar patches to fix this flaw.
However, we identified a way to bypass that patch.
Despite the fix, it is still possible to execute code as an administrator on the system.
More details can be found in the vulnerability reports:
- NordVPN report: TALOS-2018-0622 / CVE-2018-3952
- ProtonVPN report: TALOS-2018-0679 / CVE-2018-4010
TESTED VERSIONS:
- ProtonVPN VPN Client 1.5.1
- NordVPN 6.14.28.0
COVERAGE
The following Snort rules will detect exploitation attempts. Additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Console or Snort.org.
Snort Rules: 47035 – 47036
Enjoy the report here.