Home | Research | Resources | Advisories | IPVanish for MacOS
Root Privilege Escalation
CVE ID
CVE-2018-10192
VENDOR
IPVanish VPN
PRODUCT
IPVanish VPN for macOS
Product version
3.0.11
Vulnerability Details
IPVanish for MacOS suffers from a root privilege escalation vulnerability. The com.ipvanish.osx.vpnhelper
LaunchDaemon implements an insecure XPC service that could allow an attacker to execute arbitrary code as the root user. IPVanish uses a third-party library for converting xpc_object_t
types in to NSObject
types for sending XPC messages. When IPVanish establishes a new connection the following XPC message is sent to the com.ipvanish.osx.vpnhelper
LaunchDaemon. Because the XPC service itself does not validate incoming connection, this means any application installed on the operating system can send it XPC messages. In the case of the "connect" message, an attacker could manipulate the OpenVPNPath
to point at a malicious binary on the system. The com.ipvanish.osx.vpnhelper
would receive the VPNHelperConnect command, then execute the malicious binary as the root user.
Learn More →
Vendor response
Vendor's development team is reviewing
Disclosure timeline
03-27-2018 - Vendor disclosure via the support page 03-27-2018 - Vendor notified via Facebook 03-27-2018 - Vendor response via email 04-09-2018 - VerSprite Security extends advisory release timeline 04-16-2018 - Vendor notified of the advisory release