- ‘SaferVPN’ is vulnerable to a nasty flaw that it failed to address even after three months.
- The flaw is now public with details and a proof of concept, so the product is not safe to use at the moment.
- In general, it appears that ‘SaferVPN’ is going through rough times of limited resources and support.
Security researcher “nmht3t” has discovered a local privilege escalation flaw affecting the ‘SaferVPN’ product - and more specifically, its Windows client. The vulnerable versions are anything from 22.214.171.124 to the most recent one, which is 126.96.36.199. This means that the flaw, given the “CVE-2020-26050” identifier, is still unfixed, and the VPN vendor hasn’t provided a fixing patch yet. And as denoted by the identifier, the researcher reported this bug 90 days ago, so we have now reached the disclosure deadline.
The researcher has provided the proof of concept example through video and also details how to reproduce it on the relevant write-up, so anyone can now hit ‘SaferVPN.’ According to the researcher, SaferVPN spawns an OpenVPN executable in the context of NT AUTHORITYSYSTEM every time it attempts to connect to a VPN server.
Then, it tries to load an openssl.cnf configuration file for a folder in C: - which is automatically created at that moment. If someone plants a crafted configuration file in that path (C:etcsslopenssl.cnf), a malicious OpenSSL engine library will be loaded, eventually resulting in arbitrary code execution as SYSTEM.
Since this attack has publicly available instructions on carrying it out, and since the attacker wouldn’t need to have special or high privileges to launch it successfully, we would suggest that you avoid using the product until the vendor pushes a fixing update. According to the researcher, SaferVPN’s team never responded to his warnings and messages, which does not indicate an actively supported and generally “alive” project. This is very unfortunate, as SaferVPN has had a good reputation in general.
In our in-depth review of the product, SaferVPN scored a respectable 7.8 out of 10. We praised the product for not being involved in data breach incidents, being easy to install, rich in features, and having competitive pricing. On the negative side, server speeds suffered, and there was no wide platform support. These two are signs of limited resources, so again, SaferVPN appears incapable of living up to its name.
January 26, 2021 UPDATE:
SaferVPN has informed us that the vulnerability has been fixed in version 188.8.131.52, which was published soon after the story came out. The client apps should automatically check for available updates and fetch the version without the user having to do anything. As the vendor explains, there are no known reports of this vulnerability having been used to exploit systems in the wild.