HomeAdvisoriesPrivate Internet Access VPN Client for Windows

Private Internet Access VPN Client for Windows

Privilege Escalation

Previous AdvisoryNext Advisory

CVE ID

CVE-2018-10190

Vendor

London Trust Media, Inc

Product

Private Internet Access VPN for Windows

Product Version

v77

Vulnerability Details

A vulnerability in Private Internet Access VPN Client for Windows could allow an unauthenticated, local attacker to run executable files with elevated privileges. The vulnerability is due to insufficient implementation of the access controls. The Changelog and Help options available from the system tray context menu for the PIA VPN client spawns an elevated instance of the user’s default web browser. An attacker could exploit this vulnerability by selecting Run as Administratorfrom the context menu of an executable file within the file browser of the spawned default web browser. This may allow the attacker to execute privileged commands on the targeted system.

Learn more

Vendor Response

The vendor has released an update

Disclosure Timeline

23.03.2018
Vendor disclosure via email
23.03.2018
Vendor notified via Facebook
23.03.2018
Vendor response via email
27.03.2018
Vendor requests resubmission of disclosure to London Trust Media
27.03.2018
Resubmission of vendor disclosure
27.03.2018
Vendor responded with bug bounty offer
27.03.2018
VerSprite declined bounty
28.03.2018
Vendor submitted update for testing
28.03.2018
VerSprite Security tests update and confirmed vulnerability resolution
05.04.2018
Vendor releases update
17.04.2018
Vendor notified of the advisory release

Previous AdvisoryNext Advisory

Integrating Threat Modeling Throughout Your Enterprise

Offensive Security

DevSecOps

IRM Services

Threat Intelligence

Envisions Geopolitical Threat Report:

By Industry

Chrome Exploitation: How to easily launch a Chrome RCE+SBX exploit chain with one command

Security Resources

Who We Are