Talos researcher Paul Rascagneres said in a blog post that the vulnerabilities were similar to one found by security firm VerSprite in April. While both NordVPN and ProtonVPN, both widely used VPN clients, had issued fixes for the flaw found in April, Rascagneres said the Talos team had found a way to bypass the patch.
He said both clients had similar design: a user interface that was executed with the permission of the user who was logged in and the service which received orders from the UI.
"The purpose of this application (the UI) is to allow the user to select the VPN configuration, such as the protocol, the location of the VPN server, etc," Rascagneres wrote. "The information is sent to a service when the user clicks on 'connect' (it's, in fact, an OpenVPN configuration file)."
The binary for the service received the VPN configuration file from the UI and its purpose was to execute the OpenVPN VPN client binary with the user configuration file with administrator privileges.
But due to the new flaw found by Talos, it was possible to abuse the service and allow any standard user to run arbitrary commands through OpenVPN with administrator privileges, he pointed out.
The versions of the clients tested were ProtonVPN VPN Client 1.5.1 and NordVPN 220.127.116.11.
NordVPN press officer Laura Tyrell said in an unsolicited comment sent to iTWire that the vulnerability in the company's VPN application had been fixed by the time Cisco publicly disclosed the CVE.
"At the beginning of August, an automatic update was pushed to all our customers, which means the majority of users had their apps updated long before the public disclosure. These actions virtually eliminated most of the risk for the vulnerability to be exploited in real life conditions," she claimed.
"In order to exploit the flaw, an attacker had to have physical access to a victim's PC. Such a situation alone leads to a variety of severe security threats beyond [that posed by] any individual apps. In order to apply the best security practices, we are also running an independent application security audit."
Tyrell said the company had published its own advisory about the flaw.