VPN Flaw Allows Criminal Access to Everything on Victims' Computers

Vulnerability in the Aviatrix VPN client, since patched, gives an attacker unlimited access to a breached system.

Dark Reading Staff, Dark Reading

December 6, 2019

1 Min Read
Dark Reading logo in a gray background | Dark Reading

A VPN vulnerability that provided both initial access to a victim's computer and privilege escalation once access was granted has been disclosed. The vulnerability in the Aviatrix VPN client, used by large organizations such as NASA and Shell, has been patched in all versions and is available for download.

Immersive Labs researcher and content engineer Alex Seymour discovered the vulnerability in early October. After noting evidence that a pair of Web servers were launched during the VPN client's open sequence, he found the servers and the Python used to create them had known issues, especially with the very lax permissions given the servers during the sequence.

Seymour was able to show proof of the privilege escalation that would allow an attacker to run essentially any random code desired on the targeted machine. Aviatrix responded to the notice of the breach and patched the vulnerability in less than a month. Both Aviatrix and Seymour recommend that all Aviatrix VPN client users update to the latest version as soon as possible.

Read more here.

Edgepromohorizontal.jpgCheck out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "10 Security 'Chestnuts' We Should Roast Over the Open Fire."

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights