CVE-2019-12572

Name of the Vulnerable Software and Affected Versions Private Internet Access (PIA) VPN Client version 1.0.2 (build 02363)

Description A vulnerability could allow an authenticated, local attacker to run arbitrary code with elevated privileges. The issue arises from the PIA Windows service loading the OpenSSL library, which attempts to load a non-existent configuration file. An attacker can create a malicious configuration file to load a harmful OpenSSL engine library, resulting in arbitrary code execution as SYSTEM when the service starts.

Recommendations For Private Internet Access (PIA) VPN Client version 1.0.2 (build 02363), consider restricting access to the C:etcssl directory to prevent low-privileged users from creating a malicious openssl.cnf configuration file until a patch is available. As a temporary workaround, monitor the service startup process to detect any potential malicious activity.