Nord VPN v6.14.31 suffers from Local Vector DoS Vulnerability

A denial of service vulnerability was found in the Nord VPN version 6.14.31 on the 30th of August, 2018. This vulnerability was discovered by LORD (borna nematzadeh) who also provided a proof of concept for the exploit. According to LORD’s experimentation with it, the exploit exists in version 6.14.31 of the Nord VPN and it is exploitable on the Windows 10 operating system.

According to LORD, the vulnerability is exploited when the python exploit code is run. The nord.txt file must be opened and the contents of the text file must be copied onto the device’s clipboard. Next, the Nord VPN application must be opened and run, entering any arbitrary email address into the username field of the login page and pasting the clipboard copied text file contents into the password field. Pressing enter causes the application to crash, requiring that you quit the application entirely, refresh it, and restart it again.

A CVE identification label has not been assigned to the vulnerability as of yet and news hasn’t emerged from the vendor regarding the issue either. There are no mitigation techniques or advisories at present to avoid the denial of service crash in the Nord VPN software other than being aware of the full trail of the proof of concept presented and avoiding the steps necessary to deliberately cause a denial of service crash.

Given the details of the vulnerability, I believe that the vulnerability falls at a base score of 4 approximately in terms of risk. It has a local attack vector and low attack complexity. The vulnerability also doesn’t need any privileges to execute or require any user interaction to move forward. There doesn’t appear to be any confidentiality or integrity impact. The only factor affected is the application’s availability due to the denial of service crash. This exploit is easily avoidable and doesn’t pose a significant risk to the user’s privacy or security; it only affects convenience due to its ability to cause the application to stop responding.