[VS-2018-014] VPN Unlimited for MacOS Root Privilege Escalation Vulnerability
CVE ID
CVE-2018-8739
CVSS Score
Vendor
Keep Solid
Product
VPN Unlimited for MacOS
Product Version
< 4.2.0
Vulnerability Details
VPN Unlimited for MacOS suffers from a root privilege escalation vulnerability in its privileged helper tool. The privileged helper tool implements an XPC interface, which allows arbitrary applications to execute system commands as root.
Vendor Response
VPN Unlimited team is reviewing.
Disclosure Timeline
- 03-04-2018 - Vendor disclosure via email
- 03-04-2018 - Vendor notified via Facebook
- 03-05-2018 - Vendor response and follow up
- 03-06-2018 - Vendor requested additional information, POC and follow up
- 03-08-2018 - VerSprite provided vendor with additional information and POC
- 03-09-2018 - Vendor response
- 03-13-2018 - Vendor notified of diclosure schedule
- 03-14-2018 - Vendor notified of advisory release
Credit
Benjamin Watson of VerSprite Security (@rotlogix)