Rotlogix

**Name of the Vulnerable Software and Affected Versions** IPVanish version 3.0.11 for macOS **Description** The issue is related to the `com.ipvanish.osx.vpnhelper` LaunchDaemon, which implements an insecure XPC service. This allows an attacker to execute arbitrary code as the root user by sending specially crafted XPC messages. The XPC service does not validate incoming connections, making it possible for any installed application to send XPC messages to it. Specifically, an attacker could manipulate the `OpenVPNPath` variable to point to a malicious binary on the system, which would then be executed as the root user when the `com.ipvanish.osx.vpnhelper` receives the VPNHelperConnect command. **Recommendations** For IPVanish version 3.0.11, consider disabling the `com.ipvanish.osx.vpnhelper` LaunchDaemon as a temporary workaround to prevent exploitation until a patch is available. Restrict access to the XPC service to minimize the risk of malicious XPC messages being sent to it. Avoid using the `OpenVPNPath` variable in the affected XPC message until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NordVPN version 3.3.10 for macOS **Description** The issue arises from the privileged helper tool's implemented XPC service, which is responsible for receiving and processing new OpenVPN connection requests. This XPC service is not protected, allowing arbitrary applications to connect and send XPC messages. An attacker can send a crafted XPC message to the privileged helper tool, requesting a new OpenVPN connection and specifying the location of the openvpn executable, potentially pointing to a malicious executable. This could result in code execution in the context of the privileged helper tool. **Recommendations** For NordVPN version 3.3.10 for macOS, consider disabling the XPC service of the privileged helper tool until a patch is available to prevent arbitrary applications from sending XPC messages. Restrict access to the OpenVPN connection requests to minimize the risk of exploitation. Avoid using the vulnerable XPC service in the privileged helper tool until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** VPN Unlimited version 4.2.0 for macOS **Description** The issue concerns a root privilege escalation in the privileged helper tool of VPN Unlimited. This tool implements an XPC interface, allowing arbitrary applications to execute system commands as root. **Recommendations** For VPN Unlimited version 4.2.0, consider disabling the XPC interface in the privileged helper tool until a patch is available to prevent arbitrary system command execution as root.

Name of the Vulnerable Software and Affected Versions: ZenMate version 1.5.4 for macOS Description: The issue is related to a type confusion problem within the com.zenmate.chron-xpc LaunchDaemon component. This component implements an XPC service that uses an insecure XPC API, potentially allowing an attacker to pass an XPC object of the wrong type to the xpc connection create from endpoint function. However, due to internal checks implemented by Apple in recent macOS and OS X versions, exploitation of this issue would likely result in a denial of service. Recommendations: For ZenMate version 1.5.4, consider disabling the com.zenmate.chron-xpc LaunchDaemon component as a temporary workaround to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CactusVPN versions through 6.0 for macOS **Description** The issue is related to the implementation of the XPC interface in the CactusVPN software, which is used to access the VPN service. This implementation has access control weaknesses. Exploitation of the issue can allow a remote attacker to execute system commands with root privileges. The privileged helper tool in CactusVPN implements an XPC interface, enabling arbitrary applications to execute system commands as root. **Recommendations** For CactusVPN versions through 6.0 for macOS, consider disabling the privileged helper tool until a patch is available to prevent arbitrary applications from executing system commands as root. Restrict access to the XPC interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PrivateVPN version 2.0.31 for macOS **Description** The software installs a privileged helper tool that runs as the root user, which is installed as a LaunchDaemon and implements an XPC service. This XPC service handles new VPN connection operations via the main PrivateVPN application. The privileged helper tool creates new VPN connections by executing the `openvpn` binary located in the `/Applications/PrivateVPN.app/Contents/Resources` directory. The `openvpn` binary can be overwritten by the default user, allowing an attacker that has already installed malicious software as the default user to replace the binary. When a new VPN connection is established, the privileged helper tool will launch this malicious binary, thus allowing an attacker to execute code as the root user. **Recommendations** As a temporary workaround, consider disabling the execution of the `openvpn` binary by the privileged helper tool until a fix is available. Restrict access to the `/Applications/PrivateVPN.app/Contents/Resources` directory to minimize the risk of exploitation. Avoid using the PrivateVPN application to establish new VPN connections until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CactusVPN version 5.3.6 **Description** The issue concerns a root privilege escalation through a setuid root binary called `runme`. This binary accepts a command line argument and passes it to a `system()` call, allowing low-privileged users to execute commands as root. **Recommendations** For CactusVPN version 5.3.6, consider restricting access to the `runme` binary to prevent low-privileged users from executing commands as root until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Mailbutler Shimo versions prior to 4.1.5.1 **Description** The issue concerns an unprotected XPC service in the com.feingeist.shimo.helper tool LaunchDaemon, which can be exploited to execute scripts as root. **Recommendations** For Mailbutler Shimo versions prior to 4.1.5.1, update to version 4.1.5.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PureVPN version 6.0.1 **Description** The issue concerns an unprotected XPC service in the HelperTool LaunchDaemon of PureVPN on macOS. This unprotected service can be exploited to execute system commands with root privileges. **Recommendations** For PureVPN version 6.0.1, consider disabling the HelperTool LaunchDaemon until a patch is available to prevent potential exploitation.

**Name of the Vulnerable Software and Affected Versions** Golden Frog VyprVPN versions prior to 2.15.0.5828 **Description** The issue concerns an unprotected XPC service in the vyprvpnservice launch daemon, which allows attackers to modify the OpenVPN configuration and arguments passed to the OpenVPN binary. This can be exploited by forcing the VyprVPN application to load a malicious dynamic library when a new connection is established. **Recommendations** For versions prior to 2.15.0.5828, update to version 2.15.0.5828 or later to resolve the issue. As a temporary workaround, consider restricting access to the XPC service to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Dolphin Browser for Android version 12.0.2 **Description** The issue is related to an insecure parsing implementation of the Intent URI scheme. This could allow attackers to invoke private Activities within the Dolphin Browser by using a malicious Intent URI. **Recommendations** For version 12.0.2, consider restricting access to private Activities until a patch is available. As a temporary workaround, avoid using the Dolphin Browser for Android with untrusted Intent URIs. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mobotap Dolphin Browser for Android version 12.0.2 **Description** The issue arises from an arbitrary file write vulnerability in the Backup and Restore feature when restoring browser settings from a malicious backup file. This allows an attacker to overwrite a specific executable in the browser's data directory with a crafted malicious executable, which is then executed every time the browser is launched. **Recommendations** For Mobotap Dolphin Browser for Android version 12.0.2, as a temporary workaround, consider disabling the Backup and Restore feature until a patch is available. Restrict access to the browser's data directory to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.