Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • bitmask-vpn bitmask-vpn
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 258
    • Issues 258
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 3
    • Merge requests 3
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • leapleap
  • bitmask-vpnbitmask-vpn
  • Issues
  • #569
Closed
Open
Issue created Nov 03, 2021 by Kali Kaneko@kaliOwner

Windows: Privilege Escalation due to improper ACLs set by QTIFW

Tenable has contacted Riseup about a security vulnerability an associated researcher found in the latest windows release.

The issue seems to be caused by improper ACL set by the QTIFW installer when the installation path is set outside of the default path (i.e. "Program Files (x86)"). A regular user can then overwrite the openvpn binary, which will then be executed with administrator privileges and can potentially lead to take complete control of the machine.

This issue will be initially marked as confidential. Once we release a proper remediation, a security advisory will be issued in coordination with tenable and this issue will be made public. According to tenable's disclosure policy the limit date for a disclosure is January 16, 2022.

Edited Nov 03, 2021 by Kali Kaneko
Assignee
Assign to
Time tracking