VPN security flaw left big businesses at risk

BT, NASA and Shell need to patch their Aviatrix VPN clients now

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The open source enterpriseVPNsupplier Aviatrix, whose customers include BT, NASA and Shell, has patched a serious vulnerability that if exploited, could give an attackerescalation privilegeson a machine they already had access to.

Immersive Labs researcher and content engineer Alex Seymour first discovered the vulnerability after he noticed that the company’s VPN client was particularly verbose when booting up on a Linux machine.

The disclosure comes just two months after the NSA and the National Security Council warned organizations that state-sponsored attackers had begun to target vulnerabilities in VPNs. In ablog postannouncing his discovery, Seymour warned that enterprise customers should install Aviatrix’s latest patch as soon as possible, saying:

“Coming hot on the heels of the UK and US Government warnings about VPN vulnerabilities, this underlines that often the technology protecting enterprises needs to be managed as tightly as the people using it. People tend to think of their VPN as one of the more secure elements of their security posture, so it should be a bit of a wakeup call for the industry. Users should install the new patch as soon as possible to ensure there is no exploitation in the wild.”

VPN vulnerability

The security flaw that Seymour discovered affects the Linux, macOS and FreeBSD versions of Aviatrix’s client which all useOpenVPNcommand’s -up and -down flags in order to execute shell scripts when a VPN connection is established or cut off.

As a result of weak file permissions set on the installation directory on Linux and FreeBSD, an attacker could potentially modify these scripts to execute with elevated privileges when the backend service executes the OpenVPN command. This would give an attacker access to files, folders and network services running on a machine using Aviatrix’s VPN.

According to Seymour, Aviatrix has taken his disclosure very seriously and the company worked closely with Immersive Labs throughout the remediation process before it released apatch for the issueat the beginning of November.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

If your organization is currently using Aviatrix’s VPN client on Linux, FreeBSD or macOS, it is highly recommended that you apply the company’s patch immediately to avoid falling victim to a privilege escalation attack.

ViaComputer Weekly

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

Is it still worth using Proton VPN Free?

Mozambique VPN usage soars as internet restrictions continue

Lenovo ThinkPad T14s Gen 6 review