CVE-2018-10645 in VyprVPN
Summary
by MITRE
Golden Frog VyprVPN 2.12.1.8015 for Windows suffers from a SYSTEM privilege escalation vulnerability through the "VyprVPN" service. This service establishes a NetNamedPipe endpoint that allows applications to connect and call publicly exposed methods. The "SetProperty" method allows an attacker to configure the "AdditionalOpenVpnParameters" property and control the OpenVPN command line. Using the OpenVPN "plugin" parameter, an attacker may specify a dynamic library plugin that should run for every new VPN connection attempt. This plugin will execute code in the context of the SYSTEM user. This attack may be conducted using "VyprVPN Free" account credentials and the VyprVPN Desktop Client.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/01/2020
The vulnerability identified as CVE-2018-10645 represents a critical privilege escalation flaw within Golden Frog VyprVPN version 2.12.1.8015 for Windows systems. This security weakness stems from the improper implementation of the VyprVPN service which operates with SYSTEM privileges and exposes a NetNamedPipe endpoint that accepts connections from local applications. The service's architecture creates an attack surface where unprivileged users can interact with publicly exposed methods through the named pipe interface, fundamentally undermining the security model of the application.
The technical exploitation of this vulnerability centers on the SetProperty method within the VyprVPN service, which allows modification of the AdditionalOpenVpnParameters property. This configuration parameter directly influences the OpenVPN command line execution and provides attackers with the ability to specify dynamic library plugins through the OpenVPN plugin parameter. The OpenVPN plugin mechanism is designed for legitimate extension functionality but becomes a dangerous attack vector when misused, as it enables code execution within the SYSTEM context. The vulnerability specifically leverages the fact that OpenVPN plugins execute with the same privileges as the OpenVPN process, which in this case runs with SYSTEM privileges due to the VyprVPN service's elevated permissions.
The operational impact of this vulnerability is severe as it allows any local user with access to the VyprVPN Desktop Client to escalate their privileges to SYSTEM level without requiring administrative credentials. This means that an attacker with only basic user account access can potentially gain complete system control, including access to all files, registry entries, and system resources. The attack vector is particularly concerning because it requires only "VyprVPN Free" account credentials and the standard desktop client, making it accessible to a broad range of potential attackers. The vulnerability effectively bypasses standard Windows security controls and privilege separation mechanisms, creating a persistent backdoor for attackers to maintain system control.
This vulnerability maps directly to CWE-78 and CWE-74, which address code injection and command injection flaws in software systems. The attack methodology aligns with techniques described in the MITRE ATT&CK framework under T1068 for local privilege escalation and T1546 for privilege escalation through modification of system processes. The exploitation process demonstrates a classic path to SYSTEM-level compromise through service manipulation and command execution. Organizations should implement immediate mitigations including disabling the vulnerable service, restricting access to the NetNamedPipe endpoint, and ensuring that the VyprVPN client is updated to versions that address this vulnerability. Network segmentation and monitoring for unauthorized access to named pipe endpoints can also provide additional layers of defense against exploitation attempts.