VPN security flaw left big businesses at risk
The open source enterprise VPN supplier Aviatrix, whose customers include BT, NASA and Shell, has patched a serious vulnerability that if exploited, could give an attacker escalation privileges on a machine they already had access to.
Immersive Labs researcher and content engineer Alex Seymour first discovered the vulnerability after he noticed that the company's VPN client was particularly verbose when booting up on a Linux machine.
The disclosure comes just two months after the NSA and the National Security Council warned organizations that state-sponsored attackers had begun to target vulnerabilities in VPNs. In a blog post announcing his discovery, Seymour warned that enterprise customers should install Aviatrix's latest patch as soon as possible, saying:
- Business VPN flaws exploited by hackers
- VPN accounts targeted by new malware
- These are the best business VPN providers
“Coming hot on the heels of the UK and US Government warnings about VPN vulnerabilities, this underlines that often the technology protecting enterprises needs to be managed as tightly as the people using it. People tend to think of their VPN as one of the more secure elements of their security posture, so it should be a bit of a wakeup call for the industry. Users should install the new patch as soon as possible to ensure there is no exploitation in the wild.”
The security flaw that Seymour discovered affects the Linux, macOS and FreeBSD versions of Aviatrix's client which all use OpenVPN command's -up and -down flags in order to execute shell scripts when a VPN connection is established or cut off.
As a result of weak file permissions set on the installation directory on Linux and FreeBSD, an attacker could potentially modify these scripts to execute with elevated privileges when the backend service executes the OpenVPN command. This would give an attacker access to files, folders and network services running on a machine using Aviatrix's VPN.
According to Seymour, Aviatrix has taken his disclosure very seriously and the company worked closely with Immersive Labs throughout the remediation process before it released a patch for the issue at the beginning of November.
If your organization is currently using Aviatrix's VPN client on Linux, FreeBSD or macOS, it is highly recommended that you apply the company's patch immediately to avoid falling victim to a privilege escalation attack.
- Also check out our complete list of the best VPN services
Via Computer Weekly