A Reddit user with the handle ‘Educational-Map-8145’ published a proof of concept exploit for a zero-day flaw in the Linux client of Atlas VPN. The exploit code works against the latest version of the client, 1.0.3.
The researchers explained that the Atlas VPN Linux Client has two components, a daemon (atlasvpnd) that manages the connections and a client (atlasvpn) that enables users to connect, disconnect, and list services. The Reddit user pointed out that the client does not support any authentication mechanism.
The exploit code published by the researcher can be uploaded to any webserver, then visiting a site using the linux client for AtlasVPN, it terminates the active Atlas VPN sessions and leaks the IP address.
The PoC uses a hidden frame and sends the API command stop to drop the connection
and can be sent by any unauthenticated attacker.
The Reddit user claims that Atlas VPN ignored him when he tried to report the issue, but finaly it seems that Atlas VPN recognized the issue and apologized for the problem and the delay in the response.
The company announced that is working to fix the problem.
Atlas VPN Linux client users are recommended to avoid using the software until the issue is fixed.
(SecurityAffairs – hacking, Atlas)