Security

‘SaferVPN’ Found to Be Vulnerable to Local Privilege Escalation [UPDATE]

By Bill Toulas / January 26, 2021

Security researcher “nmht3t” has discovered a local privilege escalation flaw affecting the ‘SaferVPN’ product - and more specifically, its Windows client. The vulnerable versions are anything from 5.0.3.3 to the most recent one, which is 5.0.4.15. This means that the flaw, given the “CVE-2020-26050” identifier, is still unfixed, and the VPN vendor hasn’t provided a fixing patch yet. And as denoted by the identifier, the researcher reported this bug 90 days ago, so we have now reached the disclosure deadline.

The researcher has provided the proof of concept example through video and also details how to reproduce it on the relevant write-up, so anyone can now hit ‘SaferVPN.’ According to the researcher, SaferVPN spawns an OpenVPN executable in the context of NT AUTHORITYSYSTEM every time it attempts to connect to a VPN server.

Then, it tries to load an openssl.cnf configuration file for a folder in C: - which is automatically created at that moment. If someone plants a crafted configuration file in that path (C:etcsslopenssl.cnf), a malicious OpenSSL engine library will be loaded, eventually resulting in arbitrary code execution as SYSTEM.

Since this attack has publicly available instructions on carrying it out, and since the attacker wouldn’t need to have special or high privileges to launch it successfully, we would suggest that you avoid using the product until the vendor pushes a fixing update. According to the researcher, SaferVPN’s team never responded to his warnings and messages, which does not indicate an actively supported and generally “alive” project. This is very unfortunate, as SaferVPN has had a good reputation in general.

In our in-depth review of the product, SaferVPN scored a respectable 7.8 out of 10. We praised the product for not being involved in data breach incidents, being easy to install, rich in features, and having competitive pricing. On the negative side, server speeds suffered, and there was no wide platform support. These two are signs of limited resources, so again, SaferVPN appears incapable of living up to its name.

January 26, 2021 UPDATE:

SaferVPN has informed us that the vulnerability has been fixed in version 5.0.5.0, which was published soon after the story came out. The client apps should automatically check for available updates and fetch the version without the user having to do anything. As the vendor explains, there are no known reports of this vulnerability having been used to exploit systems in the wild.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari