CVE-2021-44466

Name of the Vulnerable Software and Affected Versions: Bitmask Riseup VPN version 0.21.6

Description: The issue is related to improper access controls in the software. When installed in a non-default directory off the system root, the installer fails to properly set Access Control Lists (ACLs). This allows lower privileged users to replace the VPN executable with a malicious one. If a higher privileged user, such as an Administrator, launches the malicious executable, it is possible for the lower privileged user to escalate to Administrator privileges.

Recommendations: For Bitmask Riseup VPN version 0.21.6, consider restricting access to the VPN executable until a patch is available. As a temporary workaround, ensure that the installation directory has proper ACLs set to prevent lower privileged users from replacing the executable. At the moment, there is no information about a newer version that contains a fix for this vulnerability.