In the enterprise VPN software of the cloud-native networking solutions provider Aviatrix, a researcher has found two local privilege escalation vulnerabilities.
Aviatrix claims to have over 400 customers worldwide, including Netflix, United Airlines, Docker and Epsilon.
Immersive Labs researcher Alex Seymour finds that the OpenVPN-based Aviatrix VPN has two vulnerabilities. The bugs were identified to the seller in early October and resolved by version 2.4.10 less than a month later.
The vulnerabilities enable an intruder who already has access to a targeted computer to increase permissions and access data and services which a regular user may not be allowed to access.
One of the privilege escalation weaknesses, known as CVE-2019-17388, is due to weak file permissions and another, as CVE-2019-17387, to the execution of service software. They both allow an attacker to execute high-privileged arbitrary code.
“When the UK and the U.S. government reports about VPN vulnerabilities, that often underlines the need for software security firms to be regulated just as closely as the people who use it,” Seymour stated. “This is a little bit of a wake up calling for the industry, people tend to think of their VPN as one of the most protected elements in their security position.” Immersive Labs released a blog post providing technical specifications for both vulnerabilities.
Only local machine running the VPN Client has been affected in an advisory released for these vulnerabilities–it does not influence the VPN Gateway or the machinery running other openVPN-compliant VPN clients, and it would be useless to attackers who already have administrator privileges on the targeted device. The attacks work on all Aviatrix-supported operating systems.
Threat actors are known to take advantage of weaknesses in company VPNs, and although Aviatrix faults could seem less appealing to hackers, they should not be overlooked.