NordVPN and ProtonVPN obliged to push updates to patch new CVEs

Update: A NordVPN spokesperson has asserted that the CVE had been patched by the time Cisco Talos reported on the vulnerability. Those who would like to know more on this issue are invited to follow this link. 

Original Article: If you are reading this on a Windows PC on which either NordVPN or ProtonVPN are running, then you may need to check that this service is fully updated. This is because both providers have been hit by one new common vulnerability or exposure (CVE) each. These flaws, discovered by Cisco Talos researchers, could allow a hacker to gain control over the app and, potentially, sensitive information sent using it.

Many people use virtual private networks (VPNs) for privacy and security online, and also perhaps to bypass georestrictions in some cases. Therefore, it would be ironic in the extreme if such an application was subject to hacking. NordVPN, a popular provider based in Panama, is affected by CVE-2018-4010. ProtonVPN, which has been set up by a group connected to MIT, has become associated with CVE-2018-3952.

Despite the fact that the two CVEs has been given different designations, they both basically do the same thing. It involves exploiting a similarity in the interfaces of the two services that may replace an OpenVPN configuration file that is activated by clicking 'Connect'. A replacement file with the right content could then hijack the VPN app to gain access to valuable information, or to hi-jack control of the interface.

On the other hand, NordVPN claims that, in the case of their interface at least, this hack requires direct access to a potential victim's computer. ProtonVPN has also asserted that CVE-2018-3952 requires additional, preliminary hacking steps for it to be exploited.

Representatives from both VPN providers have confirmed that their latest updates contain patches for the relevant CVE. Hopefully, this is the last we hear of compromized or hackable VPNs.

Source(s)