A username privilege escalation vulnerability has been found in the network manager VPNC plugin. This injection vulnerability is exploited by the Metaspoilt module of the program to gain root privilege access.
This was discovered by Denis Adnzakovic who found that the network-manager-vpnc plugin for VPNC support in NetworkManager could be exploited with a privilege escalation vulnerability using a newline character to inject a password helper parameter into the configuration scheme that is responsible for conveying information to the vpnc. This vulnerability poses a risk because it allows a local user exploiting it to get the access desired to change the system’s settings as well as execute arbitrary commands with root privilege.
Similar vulnerability indicators were first discovered on the 11th of July, 2018. Gnome security was then contacted and an acknowledgement was received from the firm two days later on the 13th of July. The CVE identification label CVE-2018-10900 was assigned to the vulnerability on the 20th of July and Network Manager VPNC version 1.2.6 was released the very next day to mitigate the concerns brought forward by the vulnerability. An advisory was released by Gnome Security on the 21st of July as well.
It seems that this same vulnerability is morphing, adapting, and resurfacing in different ways recently. The most recent report of this vulnerability is the username privilege escalation case in which the Metaspoilt module uses a new line injection vulnerability in the set and running username for a VPN connection in order to throw in a password helper configuration mechanism into the settings that operate and channel the connection itself.
Due to the way that the password helper is contained with root location access, it is run by Network Manager as root when the connection is started up giving it elevated permissions to interfere with the VPN network system.
This vulnerability has been found to impact the Network Manager VPNC versions 1.2.6 and older. The particular Metaspoilt module addressed here has been observed in the following versions of the VPNC: 2.2.4-1 on Debian 9.0.0 (x64) and 1.1.93-1 on Ubuntu Linux 16.04.4 (x64).