CVE-2018-7311 - OpenCVE

Vendors	Products
Privatevpn	Privatevpn

Link	Resource
https://gist.github.com/anonymous/cfc3f3419804b22ee9e82ee8d16a661d	Third Party Advisory
https://github.com/VerSprite/research/blob/eba22c8b506be6f7128ef5356281915d5667bfff/advisories/VS-2018-004.md	Third Party Advisory
https://github.com/VerSprite/research/blob/master/advisories/VS-2018-004.md	Third Party Advisory

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-02-21T00:00:00", "descriptions": [{"lang": "en", "value": "PrivateVPN 2.0.31 for macOS suffers from a root privilege escalation vulnerability. The software installs a privileged helper tool that runs as the root user. This privileged helper tool is installed as a LaunchDaemon and implements an XPC service. The XPC service is responsible for handling new VPN connection operations via the main PrivateVPN application. The privileged helper tool creates new VPN connections by executing the openvpn binary located in the /Applications/PrivateVPN.app/Contents/Resources directory. The openvpn binary can be overwritten by the default user, which allows an attacker that has already installed malicious software as the default user to replace the binary. When a new VPN connection is established, the privileged helper tool will launch this malicious binary, thus allowing an attacker to execute code as the root user. NOTE: the vendor has reportedly indicated that this behavior is \"an acceptable part of their software."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-03-05T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/VerSprite/research/blob/master/advisories/VS-2018-004.md"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/VerSprite/research/blob/eba22c8b506be6f7128ef5356281915d5667bfff/advisories/VS-2018-004.md"}, {"tags": ["x_refsource_MISC"], "url": "https://gist.github.com/anonymous/cfc3f3419804b22ee9e82ee8d16a661d"}], "tags": ["disputed"], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-7311", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** PrivateVPN 2.0.31 for macOS suffers from a root privilege escalation vulnerability. The software installs a privileged helper tool that runs as the root user. This privileged helper tool is installed as a LaunchDaemon and implements an XPC service. The XPC service is responsible for handling new VPN connection operations via the main PrivateVPN application. The privileged helper tool creates new VPN connections by executing the openvpn binary located in the /Applications/PrivateVPN.app/Contents/Resources directory. The openvpn binary can be overwritten by the default user, which allows an attacker that has already installed malicious software as the default user to replace the binary. When a new VPN connection is established, the privileged helper tool will launch this malicious binary, thus allowing an attacker to execute code as the root user. NOTE: the vendor has reportedly indicated that this behavior is \"an acceptable part of their software.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/VerSprite/research/blob/master/advisories/VS-2018-004.md", "refsource": "MISC", "url": "https://github.com/VerSprite/research/blob/master/advisories/VS-2018-004.md"}, {"name": "https://github.com/VerSprite/research/blob/eba22c8b506be6f7128ef5356281915d5667bfff/advisories/VS-2018-004.md", "refsource": "MISC", "url": "https://github.com/VerSprite/research/blob/eba22c8b506be6f7128ef5356281915d5667bfff/advisories/VS-2018-004.md"}, {"name": "https://gist.github.com/anonymous/cfc3f3419804b22ee9e82ee8d16a661d", "refsource": "MISC", "url": "https://gist.github.com/anonymous/cfc3f3419804b22ee9e82ee8d16a661d"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-7311", "datePublished": "2018-02-21T22:00:00", "dateReserved": "2018-02-21T00:00:00", "dateUpdated": "2018-03-05T19:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:privatevpn:privatevpn:2.0.31:*:*:*:*:macos:*:*", "matchCriteriaId": "0FC93FC6-FB64-461C-9FF5-87F2DBC671E0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "PrivateVPN 2.0.31 for macOS suffers from a root privilege escalation vulnerability. The software installs a privileged helper tool that runs as the root user. This privileged helper tool is installed as a LaunchDaemon and implements an XPC service. The XPC service is responsible for handling new VPN connection operations via the main PrivateVPN application. The privileged helper tool creates new VPN connections by executing the openvpn binary located in the /Applications/PrivateVPN.app/Contents/Resources directory. The openvpn binary can be overwritten by the default user, which allows an attacker that has already installed malicious software as the default user to replace the binary. When a new VPN connection is established, the privileged helper tool will launch this malicious binary, thus allowing an attacker to execute code as the root user. NOTE: the vendor has reportedly indicated that this behavior is \"an acceptable part of their software."}, {"lang": "es", "value": "** EN DISPUTA ** PrivateVPN 2.0.31 para macOS sufre de una vulnerabilidad de escalado de privilegios root. El software instala una herramienta helper con privilegios que se ejecuta como el usuario root. Esta herramienta helper con privilegios se instala como LaunchDaemon e implementa un servicio XPC. Este servicio es responsable de gestionar nuevas operaciones de conexi\u00f3n VPN mediante la aplicaci\u00f3n PrivateVPN principal. La herramienta helper con privilegios crea nuevas conexiones VPN ejecutando el binario openvpn situado en el directorio /Applications/PrivateVPN.app/Contents/Resources. El usuario por defecto puede sobrescribir este binario openvpn, lo que permite que un atacante que ya haya instalado software malicioso como el usuario por defecto reemplace el binario. Cuando se establece una nueva conexi\u00f3n VPN, la herramienta helper con privilegios ejecuta este binario malicioso, lo que permite que un atacante ejecute c\u00f3digo como usuario root. NOTA: el fabricante ha indicado que este comportamiento es \"una parte aceptable de su software\"."}], "id": "CVE-2018-7311", "lastModified": "2024-05-17T01:29:34.523", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-02-21T22:29:00.330", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://gist.github.com/anonymous/cfc3f3419804b22ee9e82ee8d16a661d"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/VerSprite/research/blob/eba22c8b506be6f7128ef5356281915d5667bfff/advisories/VS-2018-004.md"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/VerSprite/research/blob/master/advisories/VS-2018-004.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "nvd@nist.gov", "type": "Primary"}]}

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

JSON object

JSON object

JSON object