HomeAdvisoriesVyprVPN for MacOS

VyprVPN for MacOS

Privilege Escalation

Previous AdvisoryNext Advisory

CVE ID

CVE-2017-17809

Vendor

Golden Frog

Product

VyprVPN

Product Version

VyperVPN for MacOS < 2.15.0.5828

Vulnerability Details

The VyprVPN for MacOS’s vyprvpnservice launch daemon has an unprotected XPC service that allows attackers to update the underlying OpenVPN configuration and the arguments passed to OpenVPN binary when executed. An attacker can abuse this vulnerability by forcing the VyprVPN application to load a malicious dynamic library every time a new connection is made.

Learn more

Vendor Response

Golden Frog accepted and remediated the vulnerability

Disclosure Timeline

08.12.2017
Contacted Gold Frog Support and asked to be put in touch with a security resource for the disclosure process
08.12.2017
Golden Frog Supported responded requesting details about the vulnerability
08.12.2017
Responded to Gold Frog Support with the requested details
08.12.2017
Golden Frog Support asked that the details be forwarded to [email protected], I complied
11.12.2017
A Golden Frog technical representative asked for the vulnerability details again, I complied
13.12.2017
The Golden Frog technical representative informed me they had a fix and asked for a proof of concept
15.12.2017
The Golden Frog technical representative apprised me they would be scheduling a product update for the following week
20.12.2017
The VyprVPN for MacOS update is made available
20.12.2017
Advisory is released

Previous AdvisoryNext Advisory

A Look at RACI Models within Application Threat Modeling

Offensive Security

DevSecOps

GRC Services

Threat Intelligence

VS-Labs Security Research

Envisions Geopolitical Threat Report:

By Industry

Chrome Exploitation: How to easily launch a Chrome RCE+SBX exploit chain with one command

Security Resources

5 Steps to Implement an Application Threat Modeling Program

Who We Are