The Independent’s journalism is supported by our readers. When you purchase through links on our site, we may earn commission. Why trust us?
Researchers say they have found multiple security vulnerabilities affecting PureVPN’s desktop client for Linux. The two vulnerabilities include IP leaking and Remote Code Execution (RCE) in certain conditions. Since the discovery, the VPN provider says it has patched IP leaking, while the RCE issue is yet to be fixed.
Security researchers Rafay Baloch and Muhammad Sumaak were analysing PureVPN’s Linux clients when they discovered the vulnerabilities. Baloch said in his blog post that the first vulnerability was a DNS leak, which is not uncommon among VPNs. If an internet user has a DNS leak, even when connected to a VPN service, their browsing history could be leaked to their Internet Service Provider (ISP), as well as other third parties.
The DNS leak is caused by the PureVPNs Linux client’s failure to properly handle DNS queries, subsequently allowing these queries to bypass the VPN tunnel and be routed directly to the ISP or default DNS servers. The security researchers ran an IP leak test via ipleak.net – a tool designed to detect IP and DNS leaks. This test confirmed the user’s real IP address was visible despite being connected to a PureVPN server.
The second vulnerability, an RCE issue, was discovered during a dynamic analysis of the PureVPN Linux client. Baloch says: “When the login button is activated, a system call called ‘opennat()’ is initiated. This system call aims to load the ‘libnssckbi.so’ shared library file from a location that allows user-writable access. Dynamic loading is a mechanism that allows an application to load a library into its address space during runtime, rather than at compile time. However, it is essential to note that the specified path lacks the existence of the ‘libnssckbi.so’ file.”
RCE is when an attacker has the ability to run commands or codes and make changes to a device remotely. This security flaw poses a threat to those who use PureVPN’s Linux app. There are a number of ways that attackers could use this vulnerability maliciously, according to the researchers.
Potential implications of the RCE issue include Malicious Code Execution, whereby an attacker can insert and execute malicious code to a device and bypass PureVPN application whitelisting rules (restricting tools or applications to approved or vetted parties).
An RCE flaw can also be exploited by attackers and leave users vulnerable to a DDoS attack – when an attacker floods a server with requests to disrupt normal web traffic.
The vulnerability also has the potential to allow an attacker to create fake login prompts for PureVPN, which could trick users into disclosing sensitive information – this is commonly known as phishing.
The security researchers reported their findings to PureVPN. Baloch said the VPN provider fixed the IP leak, but claimed the RCE issue was a problem with Chromium rather than its own application.
PureVPN said it tested the vulnerability, mirroring the security researchers’ tests to confirm the RCE. However, it said it found the root cause of the code execution stems from a wider issue, which is affecting other applications too. The provider says the vulnerability does not explicitly affect its apps, as it exists in the Chromium Electron software framework that powers PureVPN, Slack and Google Chrome.
The researchers went on to report their findings to the Chromium project, which in turn said the vulnerability was “out of scope” because RCE is deemed to be a local attack with a low impact.
VPN security vulnerabilities, if not fixed, can put users at risk. It’s important that a VPN service is safe and secure. Many users connect to a VPN to conceal their real IP address and protect their online identity. You can check for IP leaks using an IP leak test tool; the result should only reveal your VPN server’s IP address while keeping yours hidden.
