PureVPN for MacOS
Root Privilege Escalation
CVE ID
Vendor
PureVPN
Product
PureVPN
Product Version
PureVPN for MacOS < 6.0.1
Vulnerability Details
The PureVPN for MacOs’s HelperTool LaunchDaemon implements an unprotected XPC service that can be abused to execute system commands as root.
Vendor Response
PureVPN provided updated an patched version for validation, however the vulnerability appears to still be present.
Disclosure Timeline
-
Disclosed to PureVPN via support
-
Contacted PureVPN via contact form
-
Contacted PureVPN via twitter
-
Disclosed to PureVPN via email
-
PureVPN confirmed they received the disclosure
-
PureVPN provided updated file for testing
-
Patched version provided by PureVPN still contained vulnerability
-
Updated PureVPN, still waiting for a response