- Security researchers found a critical flaw in the IPVanish VPN app for Mac
- The bug may allow attackers to gain full control over a user’s system.
- IPVanish is said to be “working on a fix”, ensuring only OpenVPN is affected
A “critical privilege escalation vulnerability” was discovered in the IPVanish VPN app for macOS, potentially allowing malicious actors to gain full control over a user’s system.
Discovered by cybersecurity researchers at SecureLayer7, the flaw exploits the VPN’s “privileged helper tool,” a background component used to manage secure network connections. The researchers found that this tool only makes very limited efforts to verify who is requesting to execute commands. As a result, the bug “allows any unprivileged local process to execute arbitrary code as root without user interaction,” experts warn.
While IPVanish is a household name that is often compared to the best VPN services, the vulnerability has been assigned a severity score of 8.8 (high) and is listed as “pending.”
In a statement to TechRadar, an IPVanish spokesperson said the team is aware of the vulnerability with OpenVPN in the Mac VPN app and is “working on a fix” that will be released as soon as possible.
“All macOS users will receive an automatic message to update to the latest version,” IPVanish said, adding that customers who have never used OpenVPN are not affected.
“WireGuard is the default protocol for new installations, meaning that users who have only used the standard configuration will not be affected,” IPVanish added.
What is the IPVanish Mac vulnerability about?
The vulnerability focuses on how the IPVanish application communicates with its background “helper” tool for the OpenVPN protocol (the OpenVPNPath parameter). On macOS, these helper tools act as system administrators with higher-level privileges to change important settings.
According to the SecureLayer7 report, the problem is that this auxiliary tool acts as a security guard that never verifies IDs. Listens to instructions but makes only very limited efforts to verify who or what is sending them.
In practice, this leaves the door wide open. Any application or program running on your Mac can send commands to this powerful assistant. Because the tool does not perform all the necessary checks to confirm that the request comes from a safe or trusted source, it can easily be used by malicious software to gain complete control over the computer.
The researchers identified two main ways hackers can abuse this, both of which result “in the attacker’s script being run as root,” experts warn.
First, an attacker can simply trick the OpenVPNPath parameter into launching a malicious program instead of normal VPN software.
The second method is even more worrying because it bypasses Apple’s strict built-in security guards. Typically, your Mac prevents dangerous or unapproved software from running. However, IPVanish’s OpenVPNPath appears to have a major logical flaw: it only checks a file’s security signature if the file is already tagged as a running program (an “executable”).
Hackers can easily get around this problem by disguising their malicious code inside a harmless file that doesn’t run. The IPVanish wizard sees the harmless label, assumes it’s safe, and skips the security check. Then, in a serious error, the helper tool moves the file to a safe area and actually changes the configuration of the file, turning it into a running program and doing the hacker’s work for them.
stay safe
It is important to emphasize that it is a Local Privilege Escalation (LPE) vulnerability. This means that a hacker cannot exploit this bug remotely over the Internet just by knowing your IP address. The attack “requires only local access to the system where IPVanish VPN is installed,” meaning a hacker must already have a foothold on your machine through malware or physical access.
SecureLayer7 states that fixing this issue will require significant changes to the application architecture. “The most critical immediate mitigation is to implement call authentication in the XPC event handler,” the firm advises.
For its part, IPVanish ensures that only macOS users who connect to the OpenVPN protocol are affected by this vulnerability.
However, until IPVanish releases a patch, users should remain vigilant.
“If a customer has used OpenVPN, open the macOS desktop software, click Settings, Protocol, and select OpenVPN. You’ll see a section called ‘OpenVPN Driver‘; please click ‘Uninstall‘ button below that. This will resolve the vulnerability before the next release,” explains IPVanish.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
