Home | Research | Resources | Advisories | VyprVPN for Windows
Privilege Escalation
CVE ID
CVE-2018-10645
VENDOR
Golden Frog
PRODUCT
VyprVPN
Product version
2.12.1.8015
Vulnerability Details
VyprVPN for Windows suffers from a SYSTEM privilege escalation vulnerability through the VyprVPN service. This service establishes an NetNamedPipe endpoint that allows applications to connect and call publicly exposed methods. The SetProperty method allows an attacker to configure the AdditionalOpenVpnParameters property and control the OpenVpn command line. Using the OpenVPN plugin parameter, an attacker may specify a dynamic library plugin that should run for every new VPN connection attempt. This plugin will execute code in the context of the SYSTEM user. This attack may be conducted using VyprVPN Free account credentials and the VyprVPN Desktop Client.
Learn More →
Vendor response
A release is scheduled
Disclosure timeline
04-09-2018 - Vendor disclosure via email 04-09-2018 - Vendor notified via Facebook 04-10-2018 - Vendor response via email: Vulnerability resolved in latest release 04-16-2018 - VerSprite verifies vulnerability unresolved 04-17-2018 - VerSprite notifies the vendor of findings 04-25-2018 - Vendor followup 04-26-2018 - Vendor response: A release is scheduled that resolves this vulnerability 05-01-2018 - Vendor notified of the advisory release
Copyright 2021 VerSprite - All Rights Reserved
