Fabius Watson

**Name of the Vulnerable Software and Affected Versions** Synology DiskStation Manager (DSM) versions prior to 7.1.1-42962-8 Synology DiskStation Manager (DSM) versions prior to 7.2.1-69057-7 Synology DiskStation Manager (DSM) versions prior to 7.2.2-72806-3 **Description** The issue is related to improper certificate validation in the LDAP utilities, allowing man-in-the-middle attackers to hijack the authentication of administrators. **Recommendations** For versions prior to 7.1.1-42962-8, update to version 7.1.1-42962-8 or later. For versions prior to 7.2.1-69057-7, update to version 7.2.1-69057-7 or later. For versions prior to 7.2.2-72806-3, update to version 7.2.2-72806-3 or later.

**Name of the Vulnerable Software and Affected Versions** QNAP QTS versions prior to 5.1.9.2954 build 20241120 QNAP QTS versions prior to 5.2.2.2950 build 20241114 QNAP QuTS hero versions prior to h5.1.9.2954 build 20241120 QNAP QuTS hero versions prior to h5.2.2.2952 build 20241116 **Description** An improper authentication vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to compromise the security of the system. **Recommendations** For QNAP QTS versions prior to 5.1.9.2954 build 20241120, update to QTS 5.1.9.2954 build 20241120 or later. For QNAP QTS versions prior to 5.2.2.2950 build 20241114, update to QTS 5.2.2.2950 build 20241114 or later. For QNAP QuTS hero versions prior to h5.1.9.2954 build 20241120, update to QuTS hero h5.1.9.2954 build 20241120 or later. For QNAP QuTS hero versions prior to h5.2.2.2952 build 20241116, update to QuTS hero h5.2.2.2952 build 20241116 or later.

**Name of the Vulnerable Software and Affected Versions** Phoenix Contact CHARX SEC-3100 (affected versions not specified) **Description** An unauthenticated remote attacker can influence the communication due to the lack of encryption of sensitive data via a Man-In-The-Middle (MITM) attack. Charging is not affected. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Phoenix Contact CHARX SEC-3100 (affected versions not specified) **Description** An unauthenticated remote attacker can perform a log injection due to improper input validation. Only a certain log file is affected. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

The OCPP Service is affected by a command injection issue due to improper input validation, allowing an unauthenticated remote attacker to perform command injection with limited privileges. An exploit is available for this issue, with links to the exploit code provided at https://t.co/BZBA0cBOqQ and https://t.co/8lB6fukqj1. The specific software and versions affected are not specified, however, it is mentioned that the issue affects the OCPP Service. #OCPP #commandinjection #infosec #cybersecurityawareness #cybersecurity #hacker #infosecurity

**Name of the Vulnerable Software and Affected Versions** Phoenix Contact CHARX SEC-3100 (affected versions not specified) **Description** An unauthenticated local attacker can perform a privilege escalation due to improper input validation in the OCPP agent service. This issue exists because of insufficient input validation, which may allow an attacker to elevate their privileges and execute arbitrary code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Verix Multi-app Conductor application version 2.7 Description: The issue allows attackers to execute arbitrary code via a long configuration key value, specifically through a buffer overflow. To exploit this, an attacker must have the capability to download files to the device. Recommendations: For version 2.7, consider restricting access to configuration key values to prevent exploitation until a fix is available. As a temporary workaround, limit the ability to download files to the device to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SolarWinds Orion NPM versions prior to 12.4 **Description** The issue concerns a remote code execution vulnerability in the OrionModuleEngine service, which establishes a NetTcpBinding endpoint allowing remote, unauthenticated clients to connect and call publicly exposed methods. The InvokeActionMethod method can be abused by an attacker to execute commands as the SYSTEM user. There have been reports of real-world incidents where this issue was exploited, with hackers compromising the network of a strategic IT solutions provider for American government organizations. It is estimated that multiple hacking groups may have exploited this vulnerability, with one group using an exploit similar to a previously known vulnerability to infect SolarWinds Orion installations that were open to the network. **Recommendations** For SolarWinds Orion NPM versions prior to 12.4, update to version 12.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the OrionModuleEngine service to minimize the risk of exploitation. Avoid using the InvokeActionMethod method in the affected service until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** SaferVPN version 4.2.5 **Description** The issue concerns a privilege escalation problem in the "SaferVPN.Service" service of SaferVPN for Windows. This service runs "openvpn.exe" using configuration files from the user's %LOCALAPPDATA%SaferVPNOvpnConfig directory. An authenticated attacker can modify these configuration files to specify a dynamic library plugin that runs for every new VPN connection attempt, allowing the execution of code in the context of the SYSTEM user. **Recommendations** For SaferVPN version 4.2.5, consider restricting access to the %LOCALAPPDATA%SaferVPNOvpnConfig directory to prevent modification of OpenVPN configuration files until a patch is available. As a temporary workaround, disabling the "SaferVPN.Service" service may mitigate the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Golden Frog VyprVPN version 2.12.1.8015 **Description** The issue allows for SYSTEM privilege escalation through the "VyprVPN" service, which establishes a NetNamedPipe endpoint. This endpoint exposes methods that can be called by applications, including the `SetProperty` method. This method enables an attacker to configure the `AdditionalOpenVpnParameters` property, thereby controlling the OpenVPN command line. An attacker can use the OpenVPN `plugin` parameter to specify a dynamic library plugin that runs for every new VPN connection attempt, executing code in the context of the SYSTEM user. The attack can be conducted using "VyprVPN Free" account credentials and the VyprVPN Desktop Client. **Recommendations** For Golden Frog VyprVPN version 2.12.1.8015, as a temporary workaround, consider disabling the `SetProperty` method or restricting access to the "VyprVPN" service until a patch is available. Avoid using the `AdditionalOpenVpnParameters` property and the OpenVPN `plugin` parameter in the affected service to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CyberGhost version 6.5.0.3180 **Description** The issue concerns a privilege escalation through the "CG6Service" service, which sets up a NetNamedPipe endpoint. This allows any installed application to connect and invoke publicly exposed methods. Specifically, the "ConnectToVpnServer" method is vulnerable as it accepts a `connectionParams` argument, giving an attacker control over the OpenVPN command line. An attacker can specify a dynamic library plugin to run for every new VPN connection attempt, executing code in the context of the SYSTEM user. **Recommendations** For CyberGhost version 6.5.0.3180, as a temporary workaround, consider disabling the "CG6Service" service until a patch is available. Restrict access to the "ConnectToVpnServer" method to minimize the risk of exploitation. Avoid using the `connectionParams` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: TunnelBear version 3.2.0.6 Description: The issue concerns a privilege escalation through the TunnelBearMaintenance service, which sets up a NetNamedPipe endpoint. This allows any installed application to connect and invoke publicly exposed methods. Specifically, the OpenVPNConnect method is vulnerable as it accepts a server list argument, giving an attacker control over the OpenVPN command line. An attacker can specify a dynamic library plugin to run for every new VPN connection attempt, executing code in the context of the SYSTEM user. Recommendations: For TunnelBear version 3.2.0.6, consider disabling the TunnelBearMaintenance service as a temporary workaround until a patch is available. Restrict access to the NetNamedPipe endpoint to minimize the risk of exploitation. Avoid using the OpenVPNConnect method in the affected service until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: PureVPN version 6.0.1 Description: The issue concerns a privilege escalation in the `sevpnclient` service when using the OpenVPN protocol. The service executes `openvpn.exe` with a config file located at `%PROGRAMDATA%purevpnconfigconfig.ovpn`, which has write permissions for the `Everyone` group. An authenticated attacker can modify this file to specify a dynamic library plugin, allowing code execution in the context of the SYSTEM account. Recommendations: For PureVPN version 6.0.1, consider restricting write access to the `%PROGRAMDATA%purevpnconfigconfig.ovpn` file to prevent modification by unauthorized users. As a temporary workaround, monitor changes to this file closely and avoid using the OpenVPN protocol until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: London Trust Media Private Internet Access (PIA) VPN Client version v77 Description: A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client could allow an unauthenticated, local attacker to run executable files with elevated privileges due to insufficient implementation of access controls. The `Changelog` and `Help` options from the system tray context menu spawn an elevated instance of the user's default web browser. An attacker could exploit this by selecting `Run as Administrator` from the context menu of an executable file within the file browser of the spawned default web browser, potentially allowing the execution of privileged commands on the targeted system. Recommendations: For London Trust Media Private Internet Access (PIA) VPN Client version v77, consider disabling the `Changelog` and `Help` options from the system tray context menu as a temporary workaround until a patch is available. Restrict access to the default web browser's file browser to minimize the risk of exploitation. Avoid using the `Run as Administrator` option from the context menu of executable files within the spawned default web browser until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** NordVPN version 6.12.7.0 **Description** The issue is related to the "nordvpn-service" service, which establishes a NetNamedPipe endpoint. This allows arbitrary installed applications to connect and call publicly exposed methods, including the "Connect" method. The "Connect" method accepts a class instance argument, providing attacker control of the OpenVPN command line. An attacker can specify a dynamic library plugin to run for every new VPN connection attempt, executing code in the context of the SYSTEM user. The vulnerability is associated with inadequate access control in the nordvpn-service. **Recommendations** For NordVPN version 6.12.7.0, consider disabling the "nordvpn-service" service as a temporary workaround to minimize the risk of exploitation. Restrict access to the NetNamedPipe endpoint to prevent arbitrary applications from connecting and calling publicly exposed methods. Avoid using the dynamic library plugin feature in the OpenVPN command line until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ProtonVPN version 1.3.3 **Description** The issue is related to insufficient access control in the ProtonVPN service, which establishes a NetNamedPipe endpoint. This allows arbitrary installed applications to connect and call publicly exposed methods, such as the `Connect` method. The `Connect` method accepts a class instance argument, providing attacker control over the OpenVPN command line. An attacker can specify a dynamic library plugin to execute code in the context of the SYSTEM user. This could allow a remote attacker to execute arbitrary code with SYSTEM privileges using the OpenVPN command line. **Recommendations** For ProtonVPN version 1.3.3, consider disabling the `ProtonVPN Service` until a patch is available to prevent potential exploitation. Restrict access to the NetNamedPipe endpoint to minimize the risk of arbitrary code execution. Avoid using the dynamic library plugin feature in the OpenVPN command line until the issue is resolved.