Trustwave expert found 2 credential leak issues in Windows PureVPN Client
29.9.2018 securityaffairs Vulnerebility
Trustwave expert discovered that the PureVPN client for Windows is affected by two vulnerabilities that could result in the credential leak.
Manuel Nader, an expert from Trustwave, discovered two vulnerabilities in the PureVPN client for Windows that could be exploited by a local attacker to access the stored password of the last user who successfully logged in to the PureVPN service.
The attack works against users using PureVPN client with a default installation, it is launched directly through the Graphical User Interface.
The experts tested for these flaw under the following assumptions and conditions:
The PureVPN client has a default installation.
The attacker has access to any local user account.
Someone has successfully logged in to the PureVPN using the client on a Windows machine at any point in time.
The Windows machine has more than one user in the case of disclosing another users credentials in a multiuser environment.
Nader discovered that user password is visible in the configuration window of the PureVPN Windows client, the issue affects the version 18.104.22.168.
To access the password, the attacker just needs to open the configuration window, open the “User Profile” tab, and click on “Show Password.”
“The PureVPN Windows Client provided by PureVPN may allow a local attacker to retrieve the stored password of the last user who successfully logged in to the PureVPN service. Because of this, a local attacker may obtain another user’s PureVPN credentials when a Windows machine has multiple users if they have successfully logged in.” states the advisory published by Trustwave.
“The attack is done exclusively through the GUI (Graphical User Interface), there’s no need to use an external tool.”
Nader also discovered that the PureVPN client for Windows stores the login credentials in plain text in a login.conf file at the path “‘C:\ProgramData\purevpn\config\.”
The researcher discovered that any local users have permissions to read this file.
“The PureVPN Windows Client stores the Login Credentials (username and password) in plaintext. The location of such files is: ‘C:\ProgramData\purevpn\config\login.conf'” continues the advisory.
“Additionally, all local users can read this file.”
The expert notified the issues to the vendor in mid-August 2017 and a security patch addressing them was released in June 2018.
PureVPN users urge to update to version 6.1.0 or later.
“Finally, some recommendations are:
In case you use the PureVPN for Windows, verify you are running the latest version, if not update.
Never reuse password between services.
Whenever possible, enable two-factor authentication.” recommends Trustwave.