Aviatrix VPN vulnerability left user endpoints wide open

Aviatrix, a supplier of open source enterprise virtual private networks (VPNs) to customers including BT, Nasa and Shell, has patched a serious vulnerability in its client that could have given an attacker escalation privileges on a machine to which they already had access.

The vulnerability was uncovered by Immersive Labs researcher and content engineer Alex Seymour, after noticing that the VPN client was unusually verbose when booting on a Linux machine.

Its disclosure comes hot on the heels of government warnings about the possibility of state-sponsored threat actors targeting high-profile organisations through VPN vulnerabilities in products from the likes of Pulse Secure, Palo Alto Networks and Fortinet.

Both the US’s National Security Agency (NSA) and the UK’s National Cyber Security Centre (NCSC) issued advisories to this effect in October 2019.

“This underlines that often the technology protecting enterprises needs to be managed as tightly as the people using it,” said Seymour. “People tend to think of their VPN as one of the more secure elements of their security posture, so it should be a bit of a wake-up call for the industry. Users should install the new patch as soon as possible to ensure there is no exploitation in the wild.”

The loophole centres on the Linux, macOS and FreeBSD versions of the Aviatrix client which use the OpenVPN command’s -up and -down flags to execute shell scripts when a VPN connection is established and cut off.

Because of weak file permissions set on the installation directory on Linux and FreeBSD, an attacker could theoretically modify these scripts so that as the backend service executes the OpenVPN command, the script executes with elevated privileges, giving them access to files, folders and network services.

Seymour said Aviatrix had taken the disclosure seriously and worked closely with Immersive Labs throughout the remediation process. A patch was released on 4 November 2019.

Besides patching the Aviatrix product, there are a number of steps than security teams can take to shore up their VPN security, which apply equally to those who are not Aviatrix users.

The guidance, compiled by the NCSC, applies in particular to organisations that have been previously targeted by advanced persistent threat (APT) actors, or that have detected successful exploitation of their VPNs.

Organisations should check their VPN settings and configuration options for unauthorised changes, including the SSH authorised keys file, new iptables rules and commands that are set to run on connecting clients, restoring from backups of the original configuration if available.

They should then review and monitor VPN and network traffic logs, as well as checking the services users connect to via the VPN, hunting in particular for connections from uncommon IP addresses – especially ones with successful logins or large data lengths returned, and identifying replay attempts using old, out-of-date credentials.

Other prudent steps include wiping the endpoint device according to the manufacturer’s guidance, enabling two-factor authentication for users of the VPN to shield against password replay attacks, and reducing the exposed threat surface by disabling unneeded or unused functionality and ports on the VPN.