UPDATED 10:45 a.m. EDT Wednesday, Sept. 12, with statements from NordVPN and ProtonVPN.
Both companies have now patched their software, but you may have to run manual updates to get the fixes. If you are using either of these VPN services, update the client software as soon as possible.
According to Cisco Talos, which made the flaws public on Friday (Sept. 7), the two "vulnerabilities allow attackers to execute code as an administrator on Microsoft Windows operating systems from a standard user."
In other words, malware that infected a limited user's Windows account on which the NordVPN or ProtonVPN client software was running could leverage the flaw to seize full control of the machine. Needless to say, that's not supposed to happen.
The vulnerabilities are the result of half-hearted patches for a similar bug found earlier this year by VerSprite, a small Atlanta-based firm.
Back in April 2018, VerSprite found that it could edit OpenVPN configuration files in NordVPN and ProtonVPN client software.
OpenVPN is an open-source VPN protocol used by many commercial VPN services. The services use small batches of code called configuration files to get the OpenVPN software to connect to their VPN servers.
But unfortunately, while VPN client software runs as a limited user lacking the privileges to make changes to the system or to other applications, OpenVPN needs to have administrator privileges to work.
NordVPN and ProtonVPN made the mistake of letting their OpenVPN configuration files be accessible from and alterable by limited users. Because of that, malware or an attacker with limited privileges could nevertheless seize control of the machine.
It's not clear whether any other VPN service providers might be affected by these privilege-escalation flaws, or if NordVPN and ProtonVPN's Mac and Linux client applications might be affected as well. [UPDATE: A ProtonVPN spokeswoman told us that only Windows systems are affected by the flaw.]
Following VerSprite's discovery in April, ProtonVPN and NordVPN released identical patches to their client software that, in theory, sealed the opening by forbidding four snippets of dangerous text from appearing in their OpenVPN configurations.
But Cisco Talos researcher Paul Rascagneres found that attackers could bypass those patches by simply putting quotation marks around the forbidden words.
Rascagneres reported the problem to NordVPN and ProtonVPN in July, and the companies recently released new patches that fix the holes.
NordVPN now generates OpenVPN configuration files on-the-fly from a fixed template, and ProtonVPN moved to its configuration file to a folder that limited users cannot reach.
UPDATE: NordVPN and ProtonVPN provided Tom's Guide with official statements, and NordVPN put up a blog post addressing the issue.
"The vulnerability had already been fixed by the time Cisco publicly disclosed the CVE," said Laura Tyrell, NordVPN's press officer. "At the beginning of August, an automatic update was pushed to all our customers, which means the majority of users had their apps updated long before the public disclosure."
"These actions virtually eliminated any risk of the vulnerability being exploited in real life conditions," Tyrell added. "It is also worth mentioning, that in order to exploit the flaw, an attacker had to have an access to a victim's PC. Such a situation alone leads to a variety of severe security threats beyond individual apps."
"Later versions of ProtonVPN have resolved this issue and an update has been rolled out to all users," a ProtonVPN spokeswoman said. "It is important to note that an attacker needs to already have access to the target's computer for this exploit to work, and it only impacts Windows users. The fix we have implemented should eliminate all bugs of this nature, and we continue to work with independent security researchers around the globe to make ProtonVPN more secure through our bug bounty program."
Best VPN Services and Apps
Private Internet Access VPN
Private Internet Access covers the basics of a VPN, and it does this well. For those who value the anonymity of the service it is a good choice, but it has less servers than some competitors, which gives us pause for thought.
Windscribe is a strong player in the VPN space, with a range of affordable plans, plus a free tier. Those who step up to one of the paid plans are rewarded with access to a much larger choice of servers, with additional features such as Windflix to facilitate Netflix streaming.
CyberGhost’s VPN offering is a good service, with affordable long term plans, and up to 7 connected devices. Misses for the service include the lower number of platforms supported, and the super short 24-hour trial period.