Jkbullard

**Name of the Vulnerable Software and Affected Versions** Tunnelblick versions 3.3beta26 through 9.0beta01 **Description** Tunnelblick is an open source graphic user interface for OpenVPN on macOS. A symlink following issue exists in the `tunnelblick-helper` process, which is accessible via the world-accessible `tunnelblickd` Unix socket. Because the socket is configured with mode 0666 and lacks authorization checks, any local user can connect to it. The process constructs a path to `config.ovpn` within a user-controlled `.tblk` directory and reads it with root privileges without validating symlinks. A local attacker can create a `.tblk` configuration containing a symlinked `config.ovpn` pointing to any file on the system to read arbitrary root-owned files. **Recommendations** Update to version 9.0beta02.