CVE-2019-12578

Name of the Vulnerable Software and Affected Versions Private Internet Access (PIA) VPN Client version v82 for Linux

Description A vulnerability could allow an authenticated, local attacker to run arbitrary code with elevated privileges. The issue involves the openvpn launcher.64 binary, which is setuid root and executes /opt/pia/openvpn-64/openvpn, passing command line parameters. The --route-pre-down parameter can be exploited to execute an arbitrary script or program when OpenVPN exits, by passing a malicious script or binary to this option. The --script-security parameter must also be passed to enable this action, and it is not currently disabled.

Recommendations For Private Internet Access (PIA) VPN Client version v82 for Linux, as a temporary workaround, consider disabling the openvpn launcher.64 binary or restricting its use until a patch is available. Avoid using the --route-pre-down parameter in the affected OpenVPN setup until the issue is resolved. Restrict access to the /opt/pia/openvpn-64/openvpn executable to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.