CVE-2018-18856

Name of the Vulnerable Software and Affected Versions LiquidVPN client versions through 1.37 for macOS

Description A local privilege escalation issue has been identified, allowing an attacker to communicate with an unprotected XPC service. This enables the execution of arbitrary OS commands as root or the loading of a potentially malicious kernel extension. The issue arises because com.smr.liquidvpn.OVPNHelper uses the system function to execute the openvpncmd parameter as a shell command.

Recommendations For LiquidVPN client versions through 1.37 for macOS, consider disabling the OVPNHelper service until a patch is available to prevent the execution of arbitrary commands. Restrict access to the openvpncmd parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.