Security advisory: Mullvad VPN client for Windows 2020.3 local privilege escalation

security research, advisory, vulnerability, privilege escalation
Advisory information

Title: Mullvad VPN client for Windows 2020.3 local privilege escalation
Advisory reference: BLAZE-03-2020
Product: Mullvad 2020.3 for Windows
CVE reference: CVE-2020-14197
Disclosure mode: Coordinated

Product description

Mullvad is a Sweden-based VPN provider with a strong focus on privacy. It has been in business for over 10 years and has a track record in addressing security issues promptly, such as Heartbleed, and regularly hires independent third party audit of their software.

The service provided by Mullvad is used by customers worldwide and includes partners such as Mozilla and Malwarebytes.

Vulnerability details

Under certain conditions, Mullvad VPN for Windows is vulnerable to a local privilege escalation allowing low privileged users to elevate their privileges to SYSTEM.

mullvad-daemon.exe is the daemon service used by Mullvad VPN for Windows. The service runs with System integrity, with effective NT AUTHORITY\SYSTEM privileges.

By configuring Process Monitor (ProcMon) to log all occurrences of activities of services during boot time and certain filters in, for example, "PATH NOT FOUND" or "NAME NOT FOUND" to detect unsuccessful access to DLLs or configuration files in the filesystem.

procmon-filter

It was noted mullvad-daemon.exe tried to look for an openssl.cnf file in the directory C:\Users\build\mullvadvpn-app\dist-assets\binaries\msvc-openssl

procmon-filter2

As documented in PIA Windows Privilege Escalation: Malicious OpenSSL Engine [1], openssl.cnf files can allow for external engines to be loaded, including DLL files.

openssl-cfg

maliciousdll-1

The exploitation scenario is not very trivial because of the constraint related to the C:\Users\build. A development machine may have a username named build, in which different developers have access to the account, therefore allowing for exploitation.

A user named build, with access to his or her own directory, can create the necessary sub folders, plant a rogue openssl.cnf that will contain a dynamic_path parameter pointing to a malicious DLL.

procmon-filter4

The dynamic library will later be loaded by mullvad-daemon.exe using Load Image as SYSTEM, without impersonation, allowing for privilege escalation due to the rogue DLL being loaded into the service's memory.

loadimage

Fix and recommendations

Mullvad addressed the issue by replacing OpenSSL for rusttls, improving the overall security of the software by moving away from libraries written in memory unsafe languages.

Users are encouraged to upgrade Mullvad VPN to version 2020.4.

Credits

This vulnerability was discovered and researched by Julio Cesar Fort from
Blaze Information Security (https://www.blazeinfosec.com)

Disclosure timeline

24/02/2020: Vulnerability reported to [email protected];
25/02/2020: Initial response from Mullvad stating they received the report;
22/04/2020: Follow up made - Mullvad informed the issue is being addressed in the next release;
13/05/2020: Version 2020.4 released, addressing the problem;
16/06/2020: MITRE assigned CVE-2020-14197 to this issue;
22/06/2020: Advisory released.

References

[1] https://blog.mirch.io/2019/06/10/cve-2019-12572-pia-windows-privilege-escalation-malicious-openssl-engine/
[2] https://mullvad.net/en/blog/2020/5/13/latest-desktop-release-20204-packed-updates/

About Blaze Information Security

Blaze Information Security is a privately held, independent information security firm born from years of combined experience. With presence in South America and Europe, Blaze has a team of senior security engineers with past experience in leading information security consulting companies around the world and a proven track record of published security research.

E-Mail: [email protected]
Wildfire Labs blog: https://blog.blazeinfosec.com
Twitter: https://www.twitter.com/blazeinfosec
Github: https://www.github.com/blazeinfosec

PGP key fingerprint: DB53 D9D9 F0E1 E513 4F52 8219 C33B C7FA C5D0 E926

Share

Comments