In today’s dynamic digital landscape, safeguarding online security is imperative. This blog delves into the recent in-depth security analysis of PureVPN conducted by Rafay Baloch and Muhammad Sumaak, which was also covered by The Independent.
The objective in addressing the collective articles by The Independent and Rafay Baloch extends beyond safeguarding PureVPN’s reputation; instead, it is centered on educating users about the broader threat landscape, extending beyond the vulnerabilities highlighted.
The identified vulnerabilities comprise two vulnerabilities of DNS leakage and Remote Code Execution (RCE) under specific conditions.
DNS Leak vulnerability
The DNS Leak vulnerability can potentially compromise user anonymity, allowing browsing history to be exposed to their Internet Service Provider (ISP) and other third parties, even when securely connected to the VPN. This vulnerability underscores the crucial need for VPN service providers to seamlessly handle DNS queries to prevent inadvertent IP leakage.
Read more: Is my VPN Working? Here’s How to Check if VPN is Leaking
PureVPN promptly patched the vulnerability in their Linux client. By doing so, it safeguarded users from potential privacy breaches.
Remote Code Execution (RCE) vulnerability
In the dynamic analysis conducted by Baloch and Sumaak, the Remote Code Execution vulnerability surfaced when activating the login button on PureVPN’s Linux client.
This issue, called Remote Code Execution (RCE), occurs when the system tries to use a function called ‘opennat()’ to load a file named ‘libnssckbi.so’ from a location where users can write data.
This process lets the application load a file while it’s running, and if the ‘libnssckbi.so’ file is missing. This vulnerability allows attackers to control or run commands on your device from afar. PureVPN was able to reproduce the findings, there was no evidence of vulnerable code in the repository.
It is also important to consider that PureVPN’s application is dependent on the Chromium engine and this behavior is part of Chromium itself, a foundational architecture shared by PureVPN and some other companies. Any application running on a Chromium electron framework is susceptible to this behavior.
Read more: DDoS Attack Protection: Here’s How to Protect Yourself Against DDoS
Important points to consider
Delving into the intricacies of the vulnerability, it’s imperative to decipher the multifaceted dimensions that define its nature.
Nature of the vulnerability
Notably, this vulnerability, as highlighted, necessitates prior access to the victim’s system, thereby categorizing it as a “local attack.” This classification signifies that an attacker must have already breached the victim’s system before attempting to exploit the vulnerability.
Importantly, the PureVPN application itself serves as a secure conduit, with no inherent provision for injection or remote code execution attacks unless the system is already compromised—a distinction that places the responsibility squarely on the compromised system rather than the application.
Chrome’s response quoted by Rafay Baloch aligns with our response, stating:
“We consider these attacks outside Chrome’s threat model, because there is no way for Chrome (or any application) to defend against a malicious user who has managed to log into your device as you, or who can run software with the privileges of your operating system user account. Such an attacker can modify executables and DLLs, change environment variables like PATH, change configuration files, read any data your user account owns, email it to themselves, and so on. Such an attacker has total control over your device, and nothing Chrome can do would provide a serious guarantee of defense. This problem is not special to Chrome — all applications must trust the physically-local user”
Demo specifics
Unveiling the intricacies of the vulnerability, the researchers’ demonstration included the showcase of spawning a reverse shell. The pivotal detail here is that the attacker’s existing access eliminates the need to establish a reverse shell separately.
DOS attack relevance
In dissecting the reported vulnerabilities, the relevance of a Denial of Service (DoS) attack comes under scrutiny as well. PureVPN’s meticulous verification process indicates a lack of reproducibility in their specific scenario.
Contrary to the researcher’s conclusion, the reported vulnerabilities do not align with the context of a DoS attack. This clarification underscores the importance of precise interpretation and verification when evaluating the potential implications of security vulnerabilities.
Bottom line
In conclusion, PureVPN’s response to the recent security analysis goes beyond merely addressing specific vulnerabilities. It serves as an educational piece, offering insights into the broader cybersecurity landscape.
While the reported Remote Code Execution (RCE) vulnerability has been discussed, it’s crucial to recognize that the root of the problem lies in scenarios where a user’s system is already compromised.
PureVPN’s commitment to transparency, swift action, and clarification of the vulnerabilities provides users with an enhanced understanding of the security challenges in the digital realm. As users navigate the complex cybersecurity landscape, being informed is the first line of defense.
Stay informed and secure by following the PureVPN Blog page for ongoing insights into cybersecurity and the evolving VPN landscape.