VPN security flaw left big businesses at risk

News
By published

BT, NASA and Shell need to patch their Aviatrix VPN clients now

Someone using a VPN on a PC.
Image credit: Shutterstock (Image credit: Shutterstock)

The open source enterprise VPN supplier Aviatrix, whose customers include BT, NASA and Shell, has patched a serious vulnerability that if exploited, could give an attacker escalation privileges on a machine they already had access to.

Immersive Labs researcher and content engineer Alex Seymour first discovered the vulnerability after he noticed that the company's VPN client was particularly verbose when booting up on a Linux machine.

The disclosure comes just two months after the NSA and the National Security Council warned organizations that state-sponsored attackers had begun to target vulnerabilities in VPNs. In a blog post announcing his discovery, Seymour warned that enterprise customers should install Aviatrix's latest patch as soon as possible, saying:

“Coming hot on the heels of the UK and US Government warnings about VPN vulnerabilities, this underlines that often the technology protecting enterprises needs to be managed as tightly as the people using it. People tend to think of their VPN as one of the more secure elements of their security posture, so it should be a bit of a wakeup call for the industry. Users should install the new patch as soon as possible to ensure there is no exploitation in the wild.”

VPN vulnerability

The security flaw that Seymour discovered affects the Linux, macOS and FreeBSD versions of Aviatrix's client which all use OpenVPN command's -up and -down flags in order to execute shell scripts when a VPN connection is established or cut off.

As a result of weak file permissions set on the installation directory on Linux and FreeBSD, an attacker could potentially modify these scripts to execute with elevated privileges when the backend service executes the OpenVPN command. This would give an attacker access to files, folders and network services running on a machine using Aviatrix's VPN.

According to Seymour, Aviatrix has taken his disclosure very seriously and the company worked closely with Immersive Labs throughout the remediation process before it released a patch for the issue at the beginning of November.

If your organization is currently using Aviatrix's VPN client on Linux, FreeBSD or macOS, it is highly recommended that you apply the company's patch immediately to avoid falling victim to a privilege escalation attack.

  • Also check out our complete list of the best VPN services

Via Computer Weekly

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in VPN Privacy & Security
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background
A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
Digital hand set location on map with two pins. AI technology in GPs, innovation delivery, map location, future transport logistic, route path concept. GPs point. New office location, change address
What does your IP address reveal about you?
A stethoscope next to a laptop on a pink background
How to check if your VPN is working
Teenager playing on a gaming PC with two monitors
Is using a VPN while gaming cheating? 5 myths you shouldn't believe about gaming with a VPN
Neon blue email symbols on a black background
Why am I suddenly getting so many spam emails?
A computer file surrounded by red laser beams
Cover your tracks: the risk of sending unencrypted files
Latest in News
FiiO FX17 IEMs
Our favorite budget audiophile brand unveils wired earbuds with 26(!) drivers, electrostatic units, USB-C ultra-Hi-Res Audio, and a not-so-budget price
girl using laptop hoping for good luck with her fingers crossed
Windows 11 24H2 seems to be a massive fail – so Microsoft apparently working on 25H2 fills me with hope... and fear
ChatGPT Advanced Voice mode on a smartphone.
Talking to ChatGPT just got better, and you don’t need to pay to access the new functionality
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple H3C Magic routers hit by critical severity remote command injection, with no fix in sight
Apple Watch Ultra 2 timer
The Apple Watch is getting a sleep alarm upgrade it probably should have had 10 years ago
Nikon Z5
The Nikon Z5 II could land soon – here's what to expect from Nikon's rumored entry-level full-frame camera
More about vpn privacy security
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background

A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
Digital hand set location on map with two pins. AI technology in GPs, innovation delivery, map location, future transport logistic, route path concept. GPs point. New office location, change address

What does your IP address reveal about you?
FiiO FX17 IEMs

Our favorite budget audiophile brand unveils wired earbuds with 26(!) drivers, electrostatic units, USB-C ultra-Hi-Res Audio, and a not-so-budget price
See more latest
Most Popular
FiiO FX17 IEMs
Our favorite budget audiophile brand unveils wired earbuds with 26(!) drivers, electrostatic units, USB-C ultra-Hi-Res Audio, and a not-so-budget price
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
girl using laptop hoping for good luck with her fingers crossed
Windows 11 24H2 seems to be a massive fail – so Microsoft apparently working on 25H2 fills me with hope... and fear
ChatGPT Advanced Voice mode on a smartphone.
Talking to ChatGPT just got better, and you don’t need to pay to access the new functionality
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple H3C Magic routers hit by critical severity remote command injection, with no fix in sight
Teenager playing on a gaming PC with two monitors
Samsung's OLED monitors are about to get much cheaper - and it's about time
Apple Watch Ultra 2 timer
The Apple Watch is getting a sleep alarm upgrade it probably should have had 10 years ago
Nikon Z5
The Nikon Z5 II could land soon – here's what to expect from Nikon's rumored entry-level full-frame camera
Google Pixel Watch 3
Google Pixel Watches hit with delayed notifications, crashing, and performance issues following Wear OS 5.1 update
Frank Castle pinning Matt Murdock against a locker in Daredevil: Born Again episode 4
What time is Daredevil: Born Again episode 5 going to be released on Disney+?