These Flawed VPN Fixes Leave You Open to Attack

UPDATED 10:45 a.m. EDT Wednesday, Sept. 12, with statements from NordVPN and ProtonVPN.

Cisco's Talos security lab has found vulnerabilities in the client software of two virtual private network (VPN) services that could let attackers seize control of your Windows computer.

Credit: Hywards/Shutterstock

(Image credit: Hywards/Shutterstock)

The bugs involve privilege-escalation flaws in the client software of NordVPN, a major worldwide VPN service, and of ProtonVPN, a smaller service started a year or two ago.

Both companies have now patched their software, but you may have to run manual updates to get the fixes. If you are using either of these VPN services, update the client software as soon as possible.

MORE: Best VPN Services and Apps

According to Cisco Talos, which made the flaws public on Friday (Sept. 7), the two "vulnerabilities allow attackers to execute code as an administrator on Microsoft Windows operating systems from a standard user."

In other words, malware that infected a limited user's Windows account on which the NordVPN or ProtonVPN client software was running could leverage the flaw to seize full control of the machine. Needless to say, that's not supposed to happen.

The vulnerabilities are the result of half-hearted patches for a similar bug found earlier this year by VerSprite, a small Atlanta-based firm.

Back in April 2018, VerSprite found that it could edit OpenVPN configuration files in NordVPN and ProtonVPN client software.

OpenVPN is an open-source VPN protocol used by many commercial VPN services. The services use small batches of code called configuration files to get the OpenVPN software to connect to their VPN servers.

But unfortunately, while VPN client software runs as a limited user lacking the privileges to make changes to the system or to other applications, OpenVPN needs to have administrator privileges to work.

NordVPN and ProtonVPN made the mistake of letting their OpenVPN configuration files be accessible from and alterable by limited users. Because of that, malware or an attacker with limited privileges could nevertheless seize control of the machine.

It's not clear whether any other VPN service providers might be affected by these privilege-escalation flaws, or if NordVPN and ProtonVPN's Mac and Linux client applications might be affected as well. [UPDATE: A ProtonVPN spokeswoman told us that only Windows systems are affected by the flaw.]

Following VerSprite's discovery in April, ProtonVPN and NordVPN released identical patches to their client software that, in theory, sealed the opening by forbidding four snippets of dangerous text from appearing in their OpenVPN configurations.

But Cisco Talos researcher Paul Rascagneres found that attackers could bypass those patches by simply putting quotation marks around the forbidden words.

Rascagneres reported the problem to NordVPN and ProtonVPN in July, and the companies recently released new patches that fix the holes.

NordVPN now generates OpenVPN configuration files on-the-fly from a fixed template, and ProtonVPN moved to its configuration file to a folder that limited users cannot reach.

UPDATE: NordVPN and ProtonVPN provided Tom's Guide with official statements, and NordVPN put up a blog post addressing the issue.

"The vulnerability had already been fixed by the time Cisco publicly disclosed the CVE," said Laura Tyrell, NordVPN's press officer. "At the beginning of August, an automatic update was pushed to all our customers, which means the majority of users had their apps updated long before the public disclosure."

"These actions virtually eliminated any risk of the vulnerability being exploited in real life conditions," Tyrell added. "It is also worth mentioning, that in order to exploit the flaw, an attacker had to have an access to a victim's PC. Such a situation alone leads to a variety of severe security threats beyond individual apps."

"Later versions of ProtonVPN have resolved this issue and an update has been rolled out to all users," a ProtonVPN spokeswoman said. "It is important to note that an attacker needs to already have access to the target's computer for this exploit to work, and it only impacts Windows users. The fix we have implemented should eliminate all bugs of this nature, and we continue to work with independent security researchers around the globe to make ProtonVPN more secure through our bug bounty program."

Best VPN Services and Apps

Jesus Diaz

Jesus Diaz founded the new Sploid for Gawker Media after seven years working at Gizmodo, where he helmed the lost-in-a-bar iPhone 4 story and wrote old angry man rants, among other things. He's a creative director, screenwriter, and producer at The Magic Sauce, and currently writes for Fast Company and Tom's Guide.