This popular VPN was hit by a major security vulnerability
SaferVPN vulnerability could have allowed local privilege escalation on Windows
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
UPDATE: SaferVPN has told TechRadar Pro that the company has now releasedversion 5.0.5.0 for Windows, which addresses CVE-2020-26050 and includes an update of the OpenSSL library.
ORIGINAL:A security researcher has discovered a new vulnerability in theVPNserviceSaferVPNthat could allow for local privilege escalation on Windows systems.
The local privilege escalation vulnerability was discovered by a researcher known as nmht3t who previously disclosed the fact thatSaferVPN silently fixed a DoS vulnerabilityin its VPN client last September. In a newblog postonMedium, mmht3t revealed why he chose to publicly disclose his latest discovery, saying:
“SaferVPN does not fix this vulnerability even after a 90-day disclosure deadline. Therefore, there is no patch available at the moment for this product. In order to inform the users of the vulnerability, I decided to publicly disclose the vulnerability.”
Security researchers often give companies a90-day deadlineto fix any vulnerabilities before they disclose them publicly. As SaferVPN failed to patch this latest vulnerability in a timely manner, mmht3t felt it was in the best interest of the company’s users to warn them about it.
Local privilege escalation flaw
According to mmht3t’s vulnerability summary, when SaferVPN attempts to connect to a VPN server it spawns theOpenVPNexecutable in the context of NT AUTHORITY\SYSTEM. The service’s VPN client then tries to load an openssl.cnf configuration file from a non-existing folder (C:\etc\ssl\openssl.cnf).
However, as a low-privileged users is able to create folders under C:\ on Windows, it’s possible for them to create the appropriate path and place a crafted openssl.cnf file in it. Once OpenVPN starts in SaferVPN, this file can load a malicious OpenSSL engine library which results in arbitrary code execution as SYSTEM.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
SaferVPN versions 5.0.3.3 to 5.04.15 are vulnerable to this local privilege escalation flaw tracked asCVE-2020–26050.
Mmht3t first discovered this vulnerability earlier this year and they sent the details of the vulnerability to SaferVPN in July. After a follow up with no response from the company and informing them that the 90-day disclosure deadline was approaching, mmht3t decided to make their findings public in January.
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
Mozambique VPN usage soars as internet restrictions continue
Retail and tech firms are hackers' most wanted targets – here’s what you can do about it
What to do after a data breach?
