PureVPN Suffers from Two Vulnerabilities That Can Leak Passwords [Updated]
Last updated September 23, 2021
Security researcher “nmht3t” has discovered a local privilege escalation flaw affecting the ‘SaferVPN’ product - and more specifically, its Windows client. The vulnerable versions are anything from 5.0.3.3 to the most recent one, which is 5.0.4.15. This means that the flaw, given the “CVE-2020-26050” identifier, is still unfixed, and the VPN vendor hasn’t provided a fixing patch yet. And as denoted by the identifier, the researcher reported this bug 90 days ago, so we have now reached the disclosure deadline.
The researcher has provided the proof of concept example through video and also details how to reproduce it on the relevant write-up, so anyone can now hit ‘SaferVPN.’ According to the researcher, SaferVPN spawns an OpenVPN executable in the context of NT AUTHORITYSYSTEM every time it attempts to connect to a VPN server.
Then, it tries to load an openssl.cnf configuration file for a folder in C: - which is automatically created at that moment. If someone plants a crafted configuration file in that path (C:etcsslopenssl.cnf), a malicious OpenSSL engine library will be loaded, eventually resulting in arbitrary code execution as SYSTEM.
Since this attack has publicly available instructions on carrying it out, and since the attacker wouldn’t need to have special or high privileges to launch it successfully, we would suggest that you avoid using the product until the vendor pushes a fixing update. According to the researcher, SaferVPN’s team never responded to his warnings and messages, which does not indicate an actively supported and generally “alive” project. This is very unfortunate, as SaferVPN has had a good reputation in general.
In our in-depth review of the product, SaferVPN scored a respectable 7.8 out of 10. We praised the product for not being involved in data breach incidents, being easy to install, rich in features, and having competitive pricing. On the negative side, server speeds suffered, and there was no wide platform support. These two are signs of limited resources, so again, SaferVPN appears incapable of living up to its name.