CVE-2019-12579

Name of the Vulnerable Software and Affected Versions London Trust Media Private Internet Access (PIA) VPN Client version v82

Description A vulnerability could allow an authenticated, local attacker to run arbitrary code with elevated privileges. The openvpn launcher.64 binary is setuid root and accepts several parameters to update the system configuration. These parameters are passed to operating system commands using a "here" document and are not sanitized, allowing for arbitrary commands to be injected using shell metacharacters.

Recommendations For London Trust Media Private Internet Access (PIA) VPN Client version v82, consider restricting access to the openvpn launcher.64 binary until a patch is available. As a temporary workaround, avoid using the binary with untrusted input to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.