16.2 C
New York
Saturday, Sep 19, 2020
Image default
VPN

ProtonVPN, NordVPN Patch Windows Bug

Best VPN Services

ProtonVPN and NordVPN were exposed to vulnerabilities that could have allowed hackers to execute arbitrary code with administrator privileges on computers running Windows.

The bugs, CVE-2018-3952 (affecting NordVPN) and CVE-2018-4010 (affecting ProtonVPN), were discovered by Cisco Talos security researchers and are similar to another security flaw (tracked as CVE-2018-10169) discovered in March by security consulting firm VerSprite.

By April, NordVPN and ProtonVPN had released patches to fix the original vulnerability, but it was still possible to execute code as an administrator, according to Talos, albeit through a exploit.

Best VPN Services

  • NordVPN

    NordVPN

     

    at

    $11.95MSRP

  • TunnelBear VPN

    TunnelBear VPN

     

    at

    $9.99MSRP

  • Private Internet Access VPN

    Private Internet Access VPN

     

    at

    $6.95MSRP

  • CyberGhost VPN

    CyberGhost VPN

     

    at

    $12.99MSRP

  • IPVanish VPN

    IPVanish VPN

     

    at

    $11.99MSRP

  • TorGuard VPN

    TorGuard VPN

     

    at

    $9.99MSRP

  • PureVPN

    PureVPN

     

    at

    $10.95MSRP

  • KeepSolid VPN Unlimited

    KeepSolid VPN Unlimited

     

    at

    $9.99MSRP

  • Golden Frog VyprVPN

    Golden Frog VyprVPN

     

    at

    $9.95MSRP

  • Hide My Ass VPN

    Hide My Ass VPN

     

    at

    $11.99MSRP

The initial vulnerability was due to OpenVPN being able to select a malicious file when choosing a VPN configuration, which could then give access to private information and hacking through arbitrary commands.

Both clients use OpenVPN’s open-source software to set up secure connections from one point to another. Since the service requires admin privileges to run, any code that runs also has access to these privileges. However, Cisco Talos found that by putting certain parameters in quotation marks, the bug fixes could be bypassed.

NordVPN developed a fix by August by generating OpenVPN configuration files that cannot be edited by users.

Related

  • The Best VPN Services of 2018

    The Best VPN Services of 2018

  • Why I’m Not Choosing the Best VPN for China

    Why I’m Not Choosing the Best VPN for China

  • How To Install a VPN on a Fire TV Stick

    How To Install a VPN on a Fire TV Stick

“The vulnerability had already been fixed by the time Cisco publicly disclosed the CVE. In the beginning of August an automatic update has been pushed to all of our customers as well, so none of them should be vulnerable at the moment,” NordVPN said.

ProtonVPN’s patch was released earlier this month and changed the location of the configuration files to the installation directory, where users can’t modify it.

“Later versions of ProtonVPN have resolved this issue and users have been automatically prompted to update. We have not seen any evidence of this being exploited in the wild, as a user’s computer needs to first be compromised by a hacker before this bug can be exploited,” ProtonVPN tells ZDNet. “The fix we have implemented should eliminate all bugs of this nature. We continue to work with independent security researchers around the globe to make ProtonVPN more secure through our bug bounty program.”

Related posts

How Should You Evaluate VPNs? Consider These Questions

Onlineservice

Dashlane Password Manager Adds VPN, Dark Web Monitoring

Onlineservice

Why Internet Users Around the World Use VPNs

Onlineservice

4 comments

Leave a Comment