10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.6 High
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
66.0%
IPVanish 3.0.11 for macOS suffers from a root privilege escalation vulnerability. The com.ipvanish.osx.vpnhelper
LaunchDaemon implements an insecure XPC service that could allow an attacker to execute arbitrary code as the root user. IPVanish uses a third-party library for converting xpc_object_t
types in to NSObject
types for sending XPC messages. When IPVanish establishes a new connection, the following XPC message is sent to the com.ipvanish.osx.vpnhelper
LaunchDaemon. Because the XPC service itself does not validate an incoming connection, any application installed on the operating system can send it XPC messages. In the case of the “connect” message, an attacker could manipulate the OpenVPNPath
to point at a malicious binary on the system. The com.ipvanish.osx.vpnhelper
would receive the VPNHelperConnect command, and then execute the malicious binary as the root user.
CPE | Name | Operator | Version |
---|---|---|---|
ipvanish:ipvanish | ipvanish | eq | 3.0.11 |
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.6 High
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
66.0%