CVE-2018-18858

Name of the Vulnerable Software and Affected Versions LiquidVPN client versions through 1.37 for macOS

Description The issue allows an attacker to communicate with an unprotected XPC service, enabling the execution of arbitrary OS commands as root or the loading of a potentially malicious kernel extension. This is possible because com.smr.liquidvpn.OVPNHelper uses the system function to execute the tun path or tap path pathname within a shell command.

Recommendations For LiquidVPN client versions through 1.37 for macOS, consider disabling the com.smr.liquidvpn.OVPNHelper service until a patch is available to prevent the execution of arbitrary OS commands. Restrict access to the XPC service to minimize the risk of exploitation. Avoid using the tun path or tap path parameters in shell commands until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.