VPN security flaw left big businesses at risk

Someone using a VPN on a PC.
Image credit: Shutterstock (Image credit: Shutterstock)

The open source enterprise VPN supplier Aviatrix, whose customers include BT, NASA and Shell, has patched a serious vulnerability that if exploited, could give an attacker escalation privileges on a machine they already had access to.

Immersive Labs researcher and content engineer Alex Seymour first discovered the vulnerability after he noticed that the company's VPN client was particularly verbose when booting up on a Linux machine.

The disclosure comes just two months after the NSA and the National Security Council warned organizations that state-sponsored attackers had begun to target vulnerabilities in VPNs. In a blog post announcing his discovery, Seymour warned that enterprise customers should install Aviatrix's latest patch as soon as possible, saying:

“Coming hot on the heels of the UK and US Government warnings about VPN vulnerabilities, this underlines that often the technology protecting enterprises needs to be managed as tightly as the people using it. People tend to think of their VPN as one of the more secure elements of their security posture, so it should be a bit of a wakeup call for the industry. Users should install the new patch as soon as possible to ensure there is no exploitation in the wild.”

VPN vulnerability

The security flaw that Seymour discovered affects the Linux, macOS and FreeBSD versions of Aviatrix's client which all use OpenVPN command's -up and -down flags in order to execute shell scripts when a VPN connection is established or cut off.

As a result of weak file permissions set on the installation directory on Linux and FreeBSD, an attacker could potentially modify these scripts to execute with elevated privileges when the backend service executes the OpenVPN command. This would give an attacker access to files, folders and network services running on a machine using Aviatrix's VPN.

According to Seymour, Aviatrix has taken his disclosure very seriously and the company worked closely with Immersive Labs throughout the remediation process before it released a patch for the issue at the beginning of November.

If your organization is currently using Aviatrix's VPN client on Linux, FreeBSD or macOS, it is highly recommended that you apply the company's patch immediately to avoid falling victim to a privilege escalation attack.

  • Also check out our complete list of the best VPN services

Via Computer Weekly

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.