The native privilege escalation vulnerability was found by a researcher often known as nmht3t who beforehand disclosed the truth that SaferVPN silently fixed a DoS vulnerability in its VPN shopper final September. In a brand new blog post on Medium, mmht3t revealed why he selected to publicly disclose his newest discovery, saying:
“SaferVPN doesn’t repair this vulnerability even after a 90-day disclosure deadline. Due to this fact, there isn’t any patch accessible in the meanwhile for this product. With a view to inform the customers of the vulnerability, I made a decision to publicly disclose the vulnerability.”
Safety researchers typically give corporations a 90-day deadline to repair any vulnerabilities earlier than they disclose them publicly. As SaferVPN did not patch this newest vulnerability in a well timed method, mmht3t felt it was in the most effective curiosity of the corporate’s customers to warn them about it.
Native privilege escalation flaw
In accordance with mmht3t’s vulnerability abstract, when SaferVPN makes an attempt to hook up with a VPN server it spawns the OpenVPN executable within the context of NT AUTHORITYSYSTEM. The service’s VPN shopper then tries to load an openssl.cnf configuration file from a non-existing folder (C:etcsslopenssl.cnf).
Nevertheless, as a low-privileged customers is ready to create folders beneath C: on Home windows, it is doable for them to create the suitable path and place a crafted openssl.cnf file in it. As soon as OpenVPN begins in SaferVPN, this file can load a malicious OpenSSL engine library which ends up in arbitrary code execution as SYSTEM.
SaferVPN variations 188.8.131.52 to five.04.15 are susceptible to this native privilege escalation flaw tracked as CVE-2020–26050.
Mmht3t first found this vulnerability earlier this 12 months they usually despatched the small print of the vulnerability to SaferVPN in July. After a observe up with no response from the corporate and informing them that the 90-day disclosure deadline was approaching, mmht3t determined to make their findings public in January.