A security researcher has discovered a new vulnerability in the VPN service SaferVPN that could allow for local privilege escalation on Windows systems. The local privilege escalation vulnerability was discovered by a researcher known as nmht3t who previously disclosed the fact that SaferVPN silently fixed a DoS vulnerability in its VPN client last September. In a new blog post on Medium, mmht3t revealed why he chose to publicly disclose his latest discovery, saying: “SaferVPN does not fix this vulnerability even after a 90-day disclosure deadline. Therefore, there is no patch available at the moment for this product. In order to inform the users of the vulnerability, I decided to publicly disclose the vulnerability.” Security researchers often give companies a 90-day deadline to fix any vulnerabilities before they disclose them publicly. As SaferVPN failed to patch this latest vulnerability in a timely manner, mmht3t felt it was in the best interest of the company's users to warn them about it. According to mmht3t's vulnerability summary, when SaferVPN attempts to connect to a VPN server it spawns the OpenVPN executable in the context of NT AUTHORITY\SYSTEM. The service's VPN client then tries to load an openssl.cnf configuration file from a non-existing folder (C:\etc\ssl\openssl.cnf). However, as a low-privileged users is able to create folders under C:\ on Windows, it's possible for them to create the appropriate path and place a crafted openssl.cnf file in it. Once OpenVPN starts in SaferVPN, this file can load a malicious OpenSSL engine library which results in arbitrary code execution as SYSTEM. SaferVPN versions 5.0.3.3 to 5.04.15 are vulnerable to this local privilege escalation flaw tracked as CVE-2020–26050. Mmht3t first discovered this vulnerability earlier this year and they sent the details of the vulnerability to SaferVPN in July. After a follow up with no response from the company and informing them that the 90-day disclosure deadline was approaching, mmht3t decided to make their findings public in January.
Local privilege escalation flaw
source https://www.techradar.com/news/this-popular-vpn-has-been-hit-by-a-major-security-vulnerability/
Rule #21 of the internet: Original content is original only for a few seconds before getting old.