CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 2CVE-2019-12572
https://notcve.org/view.php?id=CVE-2019-12572
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client 1.0.2 (build 02363) for Windows could allow an authenticated, local attacker to run arbitrary code with elevated privileges. On startup, the PIA Windows service (pia-service.exe) loads the OpenSSL library from %PROGRAMFILES%\Private Internet Access\libeay32.dll. This library attempts to load the C:\etc\ssl\openssl.cnf configuration file which does not exist. By default on Windows systems, authenticated users can create directories under C:\. A low privileged user can create a C:\etc\ssl\openssl.cnf configuration file to load a malicious OpenSSL engine library resulting in arbitrary code execution as SYSTEM when the service starts. • https://blog.mirch.io/2019/06/10/cve-2019-12572-pia-windows-privilege-escalation-malicious-openssl-engine https://github.com/mirchr/security-research/blob/master/vulnerabilities/PIA/CVE-2019-12572.txt • CWE-427: Uncontrolled Search Path Element •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2017-15882 – Android Private Internet Access Denial Of Service
https://notcve.org/view.php?id=CVE-2017-15882
The London Trust Media Private Internet Access (PIA) application before 1.3.3.1 for Android allows remote attackers to cause a denial of service (application crash) via a large VPN server-list file. La aplicación London Trust Media Private Internet Access (PIA), en versiones anteriores a la 1.3.3.1 para Android permite que atacantes remotos provoquen una denegación de servicio (cierre inesperado de la aplicación) mediante un archivo de lista de servidores VPN de gran tamaño. • https://wwws.nightwatchcybersecurity.com/2017/10/25/advisory-pia-android-app-cve-2017-15882 • CWE-400: Uncontrolled Resource Consumption •