INSUBCONTINENT EXCLUSIVE:
The open source enterprise VPN supplier Aviatrix, whose customers include BT, NASA and Shell, has patched a serious vulnerability that if
exploited, could give an attacker escalation privileges on a machine they already had access to.Immersive Labs researcher and content
engineer Alex Seymour first discovered the vulnerability after he noticed that the company's VPN client was particularly verbose when
booting up on a Linux machine.The disclosure comes just two months after the NSA and the National Security Council warned organizations that
state-sponsored attackers had begun to target vulnerabilities in VPNs
In a blog post announcing his discovery, Seymour warned that enterprise customers should install Aviatrix's latest patch as soon as
possible, saying:“Coming hot on the heels of the UK and US Government warnings about VPN vulnerabilities, this underlines that often the
technology protecting enterprises needs to be managed as tightly as the people using it
People tend to think of their VPN as one of the more secure elements of their security posture, so it should be a bit of a wakeup call for
Users should install the new patch as soon as possible to ensure there is no exploitation in the wild.”The security flaw that Seymour
discovered affects the Linux, macOS and FreeBSD versions of Aviatrix's client which all use OpenVPN command's -up and -down flags in order
to execute shell scripts when a VPN connection is established or cut off.As a result of weak file permissions set on the installation
directory on Linux and FreeBSD, an attacker could potentially modify these scripts to execute with elevated privileges when the backend
service executes the OpenVPN command
This would give an attacker access to files, folders and network services running on a machine using Aviatrix's VPN.According to Seymour,
Aviatrix has taken his disclosure very seriously and the company worked closely with Immersive Labs throughout the remediation process
before it released a patch for the issue at the beginning of November.If your organization is currently using Aviatrix's VPN client on
Linux, FreeBSD or macOS, it is highly recommended that you apply the company's patch immediately to avoid falling victim to a privilege
escalation attack.Also check out our complete list of the best VPN servicesVia Computer Weekly
