Allele Security Alert
ASA-2018-00044
Identifier(s)
ASA-2018-00044
Title
Insecure update process allows remote code execution
Vendor(s)
SwitchVPN
Product(s)
SwitchVPN for macOS and Windows
Affected version(s)
SwitchVPN 2.1012.03
Fixed version(s)
Unknown
Proof of concept
Unknown
Description
The update process in the SwitchVPN client is vulnerable to a MiTM (man-in-the-middle) attack. The client either checks for the availability of a new version using the integrated auto-update function, or the user can manually initiate an update using an update utility. Version information is pulled from a remote XML file and compared to the version number of the currently installed SwitchVPN client.
All requests are transmitted over HTTP, which means that an attacker on the same network is able to intercept and manipulate the traffic.
This means, an attacker can trigger the SwitchVPN client to download a malicious update package which will be installed on the device. In addition to that, an attacker is able to implant an installation script (installscript.qs) which will get executed immediately with elevated privileges. When auto-update is enabled (which is the default setting), this process happens completely transparent to the user.
Technical details
Unknown
Credits
Bernd Leitner
Reference(s)
SwitchVPN Insecure Update Process and RCE
https://seclists.org/fulldisclosure/2018/Nov/39
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 6, 2019