Two local privilege escalation vulnerabilities have been identified by a researcher in an enterprise VPN product from cloud-native networking solutions provider Aviatrix.
Aviatrix claims to have over 400 customers worldwide, including companies such as Netflix, United Airlines, Docker, Epsilon, and some major hotel chains.
Immersive Labs researcher Alex Seymour discovered that the Aviatrix VPN, which is based on OpenVPN, is affected by two vulnerabilities. The weaknesses were reported to the vendor in early October and patched less than one month later with the release of version 2.4.10.
The vulnerabilities allow an attacker who already has access to the targeted machine to elevate privileges and gain access to data and services they may not be able to access with the permissions of a regular user.
One of the privilege escalation flaws, tracked as CVE-2019-17388, is caused by weak file permissions, while the other, tracked as CVE-2019-17387, involves service code execution. They both allow an attacker to execute arbitrary code with elevated privileges.
“Coming hot on the heels of the UK and US Government warnings about VPN vulnerabilities, this underlines that often the technology protecting enterprises needs to be managed as tightly as the people using it,” Seymour explained. “People tend to think of their VPN as one of the more secure elements of their security posture, so it should be a bit of a wakeup call for the industry.”
Immersive Labs has published a blog post containing technical details for both vulnerabilities.
In an advisory published for these vulnerabilities, Aviatrix clarified that only the local machine running the VPN Client is affected — they do not impact the VPN Gateway or machines running other OpenVPN-compatible VPN clients, and they would be useless to attackers who already have administrator privileges on the targeted system. The attacks work on all operating systems supported by Aviatrix.
Threat actors have been known to exploit vulnerabilities in enterprise VPNs, and while the Aviatrix flaws might seem less attractive for hackers, they should not be ignored and the vendor has advised customers to update the client immediately.