Home | Research | Resources | Advisories | SaferVPN for Windows
Privilege Escalation
CVE ID
CVE-2018-10647
VENDOR
Safer Social Ltd
PRODUCT
SaferVPN
Product version
4.2.5
Vulnerability Details
SaferVPN for Windows suffers from a SYSTEM
privilege escalation vulnerability in its SaferVPN.Service
service. The SaferVPN.Service
service executes openvpn.exe
using OpenVPN config files located within the current user's local application data directory i.e. \AppData\Local\SaferVPN\OvpnConfig\
. An authenticated attacker may modify these configuration files to specify a dynamic library plugin that should run for every new VPN connection attempt. This plugin will execute code in the context of the SYSTEM
user.
Learn More →
Vendor response
A release is scheduled
Disclosure timeline
04-09-2018 - Vendor disclosure via email 04-09-2018 - Vendor notified via Facebook 04-10-2018 - Vendor response via email: Reviewing 04-18-2018 - Vendor followup 04-20-2018 - Vendor response: A release is scheduled that resolves this issue 05-01-2018 - Vendor notified of the advisory release