Login Sign Up

CVE-2020-15076

7.8 HIGH

📋 TL;DR

The Private Tunnel installer for macOS versions 3.0.1 and older contains a symlink vulnerability that allows attackers to corrupt critical system files. This occurs when the installer follows symlinks in the /tmp directory, potentially leading to system compromise. Only macOS users running affected Private Tunnel versions are impacted.

💻 Affected Systems

Products:
  • Private Tunnel VPN client
Versions: 3.0.1 and older versions
Operating Systems: macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects macOS installations where the Private Tunnel installer is run with sufficient privileges.

📦 What is this software?

Private Tunnel by Openvpn

View all CVEs affecting Private Tunnel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through corruption of critical system files, potentially leading to root access, data loss, or system instability requiring reinstallation.

🟠

Likely Case

Local privilege escalation or denial of service through targeted file corruption, allowing attackers to modify system configurations or crash services.

🟢

If Mitigated

Minimal impact if proper file permissions and access controls prevent unauthorized symlink creation in /tmp.

🌐 Internet-Facing: LOW - This is a local vulnerability requiring access to the target system.
🏢 Internal Only: MEDIUM - Insider threats or compromised user accounts could exploit this for privilege escalation within the organization.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access to create symlinks in /tmp and trigger the installer with elevated privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions newer than 3.0.1

Vendor Advisory: https://swupdate.openvpn.net/downloads/privatetunnel/changelog.txt

Restart Required: No

Instructions:

1. Download latest Private Tunnel version from official source. 2. Uninstall old version. 3. Install updated version. 4. Verify version is newer than 3.0.1.

🔧 Temporary Workarounds

Secure /tmp directory permissions

all

Restrict symlink creation in /tmp to prevent exploitation

chmod 1777 /tmp
chmod +t /tmp

Run installer with minimal privileges

all

Avoid running installer with elevated privileges when possible

🧯 If You Can't Patch

  • Remove or disable Private Tunnel until patched
  • Implement strict access controls on /tmp directory and monitor for suspicious symlink creation

🔍 How to Verify

Check if Vulnerable:

Check Private Tunnel version in application settings or via 'defaults read /Applications/Private\ Tunnel.app/Contents/Info.plist CFBundleShortVersionString'

Check Version:

defaults read /Applications/Private\ Tunnel.app/Contents/Info.plist CFBundleShortVersionString

Verify Fix Applied:

Confirm version is newer than 3.0.1 using same command

📡 Detection & Monitoring

Log Indicators:

  • Unusual symlink creation in /tmp directory
  • Private Tunnel installer execution with elevated privileges

Network Indicators:

  • None - local vulnerability only

SIEM Query:

process_name:"Private Tunnel" AND process_integrity_level:"High" OR file_path:"/tmp/*" AND file_operation:"symlink"

📊 Metadata

CVE ID: CVE-2020-15076
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-61
Published: May 26, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-15076, you might also want to check these:

CVE-2025-23394 9.8

A UNIX symbolic link following vulnerability in cyrus-imapd on openSUSE Tumbleweed allows local atta...

Same vulnerability type (CWE-61)
CVE-2024-54661 9.8

This vulnerability in socat's readline.sh script allows local privilege escalation through insecure ...

Same vulnerability type (CWE-61)
CVE-2025-55345 8.8

This vulnerability in Codex CLI allows attackers to overwrite arbitrary files and potentially achiev...

Same vulnerability type (CWE-61)