Source: vulnreport@tenable.com
Bitmask Riseup VPN 0.21.6 contains a local privilege escalation flaw due to improper access controls. When the software is installed with a non-default installation directory off of the system root, the installer fails to properly set ACLs. This allows lower privileged users to replace the VPN executable with a malicious one. When a higher privileged user such as an Administrator launches that executable, it is possible for the lower privileged user to escalate to Administrator privileges.
Bitmask Riseup VPN 0.21.6 is vulnerable to a local privilege escalation attack. A malicious user can exploit improper access controls during installation to replace the VPN executable with a crafted payload, allowing them to gain Administrator privileges when the legitimate VPN software is launched by a higher-privileged user. This vulnerability poses a significant risk to confidentiality, integrity, and availability of systems running the affected software.
Step 1: Installation: The victim installs Bitmask Riseup VPN 0.21.6, ideally to a non-default installation directory.
Step 2: File Overwrite: The attacker, with lower privileges, identifies the location of the VPN executable (e.g., riseup-vpn.exe).
Step 3: Payload Delivery: The attacker crafts a malicious executable (e.g., a reverse shell, a keylogger, or a persistence mechanism) and names it identically to the legitimate VPN executable.
Step 4: File Replacement: The attacker overwrites the legitimate VPN executable with their malicious payload, exploiting the lack of proper ACLs.
Step 5: Triggering Execution: A higher-privileged user (e.g., an Administrator) launches the Bitmask Riseup VPN application. This could be triggered by the user directly or through an automated process.
Step 6: Privilege Escalation: The attacker's malicious payload executes with the privileges of the higher-privileged user, granting the attacker elevated access to the system.
The vulnerability stems from a flaw in the installer's access control list (ACL) configuration. When installing Bitmask Riseup VPN to a non-default directory, the installer fails to properly set ACLs on the VPN executable. This results in insufficient permissions restrictions, allowing lower-privileged users to overwrite the VPN executable with a malicious version. When a higher-privileged user, such as an Administrator, later launches the compromised VPN executable, the attacker's payload is executed with elevated privileges. The root cause is the installer's failure to restrict write access to the VPN executable file for non-privileged users, leading to a privilege escalation scenario. This is a classic example of insecure file permissions leading to a security vulnerability.
While no specific APT groups are explicitly linked to this CVE, the nature of the vulnerability makes it attractive to various threat actors. It could be leveraged by groups seeking to establish persistence, steal credentials, or deploy ransomware. The ease of exploitation also makes it a likely target for opportunistic attacks. CISA KEV status is unlikely, given the limited scope of the affected software and the fact that it is not a widely used product.
Monitor file system activity for suspicious modifications to the Bitmask Riseup VPN executable (e.g., riseup-vpn.exe).
Analyze process creation events, looking for the execution of unexpected processes launched by the VPN executable.
Review security event logs for unusual privilege escalation attempts.
Check file permissions on the VPN executable to ensure that only authorized users or groups have write access.
Implement file integrity monitoring to detect unauthorized changes to the VPN executable.
Upgrade to a patched version of Bitmask Riseup VPN (if available).
Implement proper ACLs on the VPN executable, restricting write access to only the necessary users or groups (e.g., the SYSTEM account and the user performing the installation).
Ensure that the installation directory is protected from unauthorized modification.
Use a file integrity monitoring solution to detect any unauthorized changes to the VPN executable.
Regularly audit file permissions and access controls on critical system files.
Implement application whitelisting to restrict the execution of unauthorized executables.