Security Market Segment LS
Monday, 10 September 2018 10:11

Cisco team finds holes in NordVPN and ProtonVPN Windows clients

Cisco team finds holes in NordVPN and ProtonVPN Windows clients Pixabay

Cisco's Talos Intelligence Group says it has discovered similar vulnerabilities in the NordVPN and ProtonVPN clients for Windows, which allow an ordinary user to run commands as an administrator.

Talos researcher Paul Rascagneres said in a blog post that the vulnerabilities were similar to one found by security firm VerSprite in April. While both NordVPN and ProtonVPN, both widely used VPN clients, had issued fixes for the flaw found in April, Rascagneres said the Talos team had found a way to bypass the patch.

He said both clients had similar design: a user interface that was executed with the permission of the user who was logged in and the service which received orders from the UI.

"The purpose of this application (the UI) is to allow the user to select the VPN configuration, such as the protocol, the location of the VPN server, etc," Rascagneres wrote. "The information is sent to a service when the user clicks on 'connect' (it's, in fact, an OpenVPN configuration file)."

The binary for the service received the VPN configuration file from the UI and its purpose was to execute the OpenVPN VPN client binary with the user configuration file with administrator privileges.

But due to the new flaw found by Talos, it was possible to abuse the service and allow any standard user to run arbitrary commands through OpenVPN with administrator privileges, he pointed out.

The versions of the clients tested were ProtonVPN VPN Client 1.5.1 and NordVPN

Detailed vulnerability reports are here for NordVPN and at this link for ProtonVPN.

NordVPN press officer Laura Tyrell said in an unsolicited comment sent to iTWire that the vulnerability in the company's VPN application had been fixed by the time Cisco publicly disclosed the CVE.

"At the beginning of August, an automatic update was pushed to all our customers, which means the majority of users had their apps updated long before the public disclosure. These actions virtually eliminated most of the risk for the vulnerability to be exploited in real life conditions," she claimed.

"In order to exploit the flaw, an attacker had to have physical access to a victim's PC. Such a situation alone leads to a variety of severe security threats beyond [that posed by] any individual apps. In order to apply the best security practices, we are also running an independent application security audit."

Tyrell said the company had published its own advisory about the flaw.


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments