CVE-2018-18857

Name of the Vulnerable Software and Affected Versions LiquidVPN client versions through 1.37 for macOS

Description A local privilege escalation issue has been identified, allowing an attacker to communicate with an unprotected XPC service. This enables the execution of arbitrary OS commands as root or the loading of a potentially malicious kernel extension. The issue arises because com.smr.liquidvpn.OVPNHelper uses the system function to execute the command line parameter as a shell command.

Recommendations For LiquidVPN client versions through 1.37 for macOS, consider disabling the OVPNHelper service until a patch is available to prevent the execution of arbitrary commands. Restrict access to the XPC service to minimize the risk of exploitation. Avoid using the command line parameter in the affected service until the issue is resolved.