CVE-2020-5180

Name of the Vulnerable Software and Affected Versions Viscosity version 1.8.2

Description The issue allows an unprivileged user to set certain OpenVPN parameters, potentially loading a malicious library into the OpenVPN process memory. This can lead to limited local privilege escalation. When a VPN connection is initiated using a TLS/SSL client profile, the privileges are dropped, and the library will be loaded, resulting in arbitrary code execution as a user with limited privileges.

Recommendations For Viscosity version 1.8.2, consider restricting the ability of unprivileged users to set OpenVPN parameters until a patch is available. As a temporary workaround, avoid using TLS/SSL client profiles for VPN connections to minimize the risk of exploitation.