SaferVPN Hit By Major Security Vulnerability

By   ISBuzz Team
Writer , Information Security Buzz | Jan 13, 2021 03:41 am PST

A new vulnerability in the VPN service SaferVPN is discovered that could allow for local privilege escalation on Windows systems. The researcher mmht3t disovered this vulnerability and briefly exploited as below:

  • When SaferVPN attempts to connect to a VPN server it spawns the OpenVPN executable in the context of NT AUTHORITY\SYSTEM;
  • The VPN then tries to load an openssl.cnf configuration file from a non-existing folder (C:\etc\ssl\openssl.cnf);
  • This will allow a low-privileged users is able to create folders under C:\ on Windows, and it’s possible for them to create the appropriate path and place a crafted openssl.cnf file in it;
  • Once OpenVPN starts in SaferVPN, this file can load a malicious OpenSSL engine library which results in arbitrary code execution as SYSTEM.