CVE-2018-15490 in ExpressVPN
Summary
by MITRE
An issue was discovered in ExpressVPN on Windows. The Xvpnd.exe process (which runs as a service with SYSTEM privileges) listens on TCP port 2015, which is used as an RPC interface for communication with the client side of the ExpressVPN application. A JSON-RPC protocol over HTTP is used for communication. The JSON-RPC XVPN.GetPreference and XVPN.SetPreference methods are vulnerable to path traversal, and allow reading and writing files on the file system on behalf of the service.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/25/2020
The vulnerability identified in CVE-2018-15490 represents a critical path traversal flaw within the ExpressVPN Windows implementation that exposes the system to arbitrary file system access. This issue specifically affects the Xvpnd.exe service process which operates with SYSTEM privileges, making it particularly dangerous as it runs with the highest level of system permissions available. The vulnerability exists within the RPC interface that communicates with the client application through TCP port 2015, where JSON-RPC over HTTP protocol is employed for all communication between the service and client components. The XVPN.GetPreference and XVPN.SetPreference methods within this interface are particularly susceptible to exploitation due to insufficient input validation and sanitization mechanisms.
The technical flaw stems from improper validation of user-supplied input parameters within the JSON-RPC methods, allowing attackers to manipulate file paths through specially crafted requests. When the service processes these requests, it fails to adequately sanitize the input before using it in file system operations, enabling attackers to traverse the file system hierarchy and access or modify files that should normally be restricted. This path traversal vulnerability specifically affects the service's ability to validate file paths, allowing attackers to read sensitive system files, modify configuration files, or even inject malicious code into the system. The attack vector is particularly concerning because it requires no elevated privileges from the attacker's perspective, as the service itself operates with SYSTEM privileges and the vulnerability enables arbitrary file operations through the RPC interface.
The operational impact of this vulnerability is severe and multifaceted, potentially allowing attackers to escalate privileges and gain complete system compromise. Since the service runs with SYSTEM privileges, successful exploitation can lead to full system control, including the ability to read sensitive configuration files, modify system settings, install malware, or access protected data. The vulnerability affects not only the local system but also represents a potential attack surface that could be leveraged in broader network infiltration campaigns. Additionally, the fact that this vulnerability exists in a VPN client application means it could be exploited in scenarios where users are connecting to potentially compromised networks, making it particularly dangerous for enterprise environments where VPN usage is prevalent. The JSON-RPC interface provides an attack surface that is difficult to monitor and secure effectively, as it operates through standard network protocols and is designed to be accessible to legitimate client applications.
Mitigation strategies for this vulnerability should focus on immediate patching and network-level protections. The primary solution involves updating to the patched version of ExpressVPN that properly validates all input parameters and implements proper path sanitization mechanisms. Organizations should also consider implementing network segmentation to limit access to TCP port 2015, particularly in enterprise environments where VPN services are deployed. From a defensive perspective, monitoring for unusual network activity on port 2015 and implementing application whitelisting for the Xvpnd.exe service can help detect potential exploitation attempts. This vulnerability aligns with CWE-22 Path Traversal and CWE-770 Allocation of Resources Without Limits or Throttling, and represents a typical example of how service-level vulnerabilities can be exploited to gain elevated privileges through RPC interfaces. The ATT&CK framework categorizes this under privilege escalation techniques, specifically through service exploitation and credential access mechanisms, making it a significant concern for both endpoint and network security teams. Organizations should also conduct thorough vulnerability assessments to identify similar issues in other VPN implementations and ensure proper input validation is implemented across all service interfaces.