A virtual private network (VPN) used by NASA, Shell, and BT has been found to have multiple vulnerabilities.
Weaknesses in the Aviatrix VPN were detected by Immersive Labs researcher and content engineer Alex Seymour on October 7, 2019.
The multiple local privilege escalation vulnerabilities Seymour discovered would have allowed an attacker who already had access to a machine to escalate privileges and achieve anything they wanted. With the extra level of privileges, the attacker would have been able to dive into files, folders, and network services that the user would not previously have been able to access.
The discovery comes just two months after the National Security Agency (NSA) and National Security Council (NSC) both issued warnings regarding state-sponsored attacks aimed at exploiting vulnerabilities in VPNs.
Alex Seymour said: “Coming hot on the heels of the UK and US Government warnings about VPN vulnerabilities, this underlines that often the technology protecting enterprises needs to be managed as tightly as the people using it.
“People tend to think of their VPN as one of the more secure elements of their security posture, so it should be a bit of a wakeup call for the industry.”
Aviatrix took swift action to address the issue, releasing a patch, v2.4.10 on November 4.
“Users should install the new patch as soon as possible to ensure there is no exploitation in the wild,” said Seymour
A spokesperson for Immersive Labs said that Aviatrix has been responsive and open to discussion after the vulnerabilities were disclosed and had taken on board advice on how to resolve the issue.
“The changes made to resolve the issue were timely and well implemented. They have kept communication open throughout the disclosure process, remaining positive and showing that they take the security of their customers and product seriously,” said the Immersive Labs spokesperson.
Seymour’s suspicions were aroused when he noticed a wordy outpouring after firing up the Aviatrix VPN on a Linux machine. The last two lines of script indicated that two local web servers were started when the VPN was launched.
Weak file permissions set on the installation directory on Linux and FreeBSD made it possible to modify shell scripts that are executed when a VPN connection is established and terminated. When the back-end service executed the “OpenVPN” command, the script was executed with elevated privileges.