Bernd Leitner

**Name of the Vulnerable Software and Affected Versions** SwitchVPN client version 2.1012.03 **Description** A local privilege escalation issue has been identified due to over-permissive configuration settings and a SUID binary, allowing an attacker to execute arbitrary binaries as root. **Recommendations** For SwitchVPN client version 2.1012.03, consider restricting the execution of the SUID binary until a patch is available to prevent arbitrary binary execution as root. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LiquidVPN client versions through 1.37 for macOS **Description** A local privilege escalation issue has been identified, allowing an attacker to communicate with an unprotected XPC service. This enables the execution of arbitrary OS commands as root or the loading of a potentially malicious kernel extension. The issue arises because `com.smr.liquidvpn.OVPNHelper` uses the system function to execute the `openvpncmd` parameter as a shell command. **Recommendations** For LiquidVPN client versions through 1.37 for macOS, consider disabling the `OVPNHelper` service until a patch is available to prevent the execution of arbitrary commands. Restrict access to the `openvpncmd` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LiquidVPN client versions through 1.37 for macOS **Description** A local privilege escalation issue has been identified, allowing an attacker to communicate with an unprotected XPC service. This enables the execution of arbitrary OS commands as root or the loading of a potentially malicious kernel extension. The issue arises because `com.smr.liquidvpn.OVPNHelper` uses the system function to execute the `command line` parameter as a shell command. **Recommendations** For LiquidVPN client versions through 1.37 for macOS, consider disabling the `OVPNHelper` service until a patch is available to prevent the execution of arbitrary commands. Restrict access to the XPC service to minimize the risk of exploitation. Avoid using the `command line` parameter in the affected service until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** LiquidVPN client versions through 1.37 for macOS **Description** The issue allows an attacker to communicate with an unprotected XPC service, enabling the execution of arbitrary OS commands as root or the loading of a potentially malicious kernel extension. This is possible because `com.smr.liquidvpn.OVPNHelper` uses the system function to execute the `tun path` or `tap path` pathname within a shell command. **Recommendations** For LiquidVPN client versions through 1.37 for macOS, consider disabling the `com.smr.liquidvpn.OVPNHelper` service until a patch is available to prevent the execution of arbitrary OS commands. Restrict access to the XPC service to minimize the risk of exploitation. Avoid using the `tun path` or `tap path` parameters in shell commands until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LiquidVPN client versions through 1.37 for macOS **Description** The issue allows an attacker to communicate with an unprotected XPC service, enabling the execution of arbitrary OS commands as root or the loading of a potentially malicious kernel extension. This is possible because `com.smr.liquidvpn.OVPNHelper` uses the value of the `tun path` or `tap path` pathname in a `kextload()` call. **Recommendations** For LiquidVPN client versions through 1.37 for macOS, consider restricting access to the `com.smr.liquidvpn.OVPNHelper` service to minimize the risk of exploitation. As a temporary workaround, avoid using the `tun path` or `tap path` parameters in the affected service until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.