CVE-2018-15490 - OpenCVE

An issue was discovered in ExpressVPN on Windows. The Xvpnd.exe process (which runs as a service with SYSTEM privileges) listens on TCP port 2015, which is used as an RPC interface for communication with the client side of the ExpressVPN application. A JSON-RPC protocol over HTTP is used for communication. The JSON-RPC XVPN.GetPreference and XVPN.SetPreference methods are vulnerable to path traversal, and allow reading and writing files on the file system on behalf of the service.

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact None

AV:L/AC:L/Au:N/C:C/I:C/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Microsoft	Windows
Expressvpn	Expressvpn

Configuration 1 [-]

AND

cpe:2.3:a:expressvpn:expressvpn:-:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

References

Link	Resource
https://medium.com/%40Wflki/https-medium-com-wflki-cve-2018-15490-expressvpn-local-privilege-escalation-d22c86fecc47

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-01-02T18:00:00

Updated: 2019-01-02T17:57:02

Reserved: 2018-08-17T00:00:00

Link: CVE-2018-15490

JSON object: View

NVD Information

Status : Modified

Published: 2019-01-02T18:29:00.653

Modified: 2023-11-07T02:53:10.300

Link: CVE-2018-15490

JSON object: View

Redhat Information

No data.

CWE

CWE-22

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-12-31T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in ExpressVPN on Windows. The Xvpnd.exe process (which runs as a service with SYSTEM privileges) listens on TCP port 2015, which is used as an RPC interface for communication with the client side of the ExpressVPN application. A JSON-RPC protocol over HTTP is used for communication. The JSON-RPC XVPN.GetPreference and XVPN.SetPreference methods are vulnerable to path traversal, and allow reading and writing files on the file system on behalf of the service."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-01-02T17:57:02", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://medium.com/%40Wflki/https-medium-com-wflki-cve-2018-15490-expressvpn-local-privilege-escalation-d22c86fecc47"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-15490", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in ExpressVPN on Windows. The Xvpnd.exe process (which runs as a service with SYSTEM privileges) listens on TCP port 2015, which is used as an RPC interface for communication with the client side of the ExpressVPN application. A JSON-RPC protocol over HTTP is used for communication. The JSON-RPC XVPN.GetPreference and XVPN.SetPreference methods are vulnerable to path traversal, and allow reading and writing files on the file system on behalf of the service."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://medium.com/@Wflki/https-medium-com-wflki-cve-2018-15490-expressvpn-local-privilege-escalation-d22c86fecc47", "refsource": "MISC", "url": "https://medium.com/@Wflki/https-medium-com-wflki-cve-2018-15490-expressvpn-local-privilege-escalation-d22c86fecc47"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-15490", "datePublished": "2019-01-02T18:00:00", "dateReserved": "2018-08-17T00:00:00", "dateUpdated": "2019-01-02T17:57:02", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:expressvpn:expressvpn:-:*:*:*:*:*:*:*", "matchCriteriaId": "98F7AD93-3730-4D97-983B-1CD3F1580A40", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in ExpressVPN on Windows. The Xvpnd.exe process (which runs as a service with SYSTEM privileges) listens on TCP port 2015, which is used as an RPC interface for communication with the client side of the ExpressVPN application. A JSON-RPC protocol over HTTP is used for communication. The JSON-RPC XVPN.GetPreference and XVPN.SetPreference methods are vulnerable to path traversal, and allow reading and writing files on the file system on behalf of the service."}, {"lang": "es", "value": "Se ha descubierto un problema en ExpressVPN en Windows. El proceso Xvpnd.exe (que se ejecuta como un servicio con privilegios SYSTEM) escucha en el puerto TCP \"2015\", el cual se utiliza como interfaz RPC para la comunicaci\u00f3n con el lado del cliente de la aplicaci\u00f3n ExpressVPN. Se utiliza un protocolo JSON-RPC por HTTP para la comunicarse. Los m\u00e9todos JSON-RPC XVPN.GetPreference y XVPN.SetPreference son vulnerables a un salto de directorio y permiten la lectura y escritura de archivos en el sistema de archivos en nombre del servicio."}], "id": "CVE-2018-15490", "lastModified": "2023-11-07T02:53:10.300", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.6, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 9.2, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-01-02T18:29:00.653", "references": [{"source": "cve@mitre.org", "url": "https://medium.com/%40Wflki/https-medium-com-wflki-cve-2018-15490-expressvpn-local-privilege-escalation-d22c86fecc47"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}