Discovered by Tyler Bohan of Cisco Talos.

Overview

Cisco Talos is disclosing a series of vulnerabilities found in the Shimo VPN Helper Tool. Shimo VPN is a popular VPN client for MacOS that can be used to connect multiple VPN accounts to one application. These specific vulnerabilities were found in the “helper tool,” a feature that Shimo VPN uses to accomplish some of its privileged work.

These vulnerabilities are being released without a patch, per our disclosure policy, after repeated attempts were made to communicate with the vendor.

Vulnerability Details

TALOS-2018-0673

TALOS-2018-0673/CVE-2018-4004 is a privilege escalation vulnerability that resides in the Shimo VPN helper service, specifically the disconnectService function. The vulnerability requires local access to the machine but could allow a non-root user to kill privileged processes on the system.
Detailed vulnerability information can be found here.

TALOS-2018-0674

TALOS-2018-0674/CVE-2018-4005 is an exploitable privilege escalation vulnerability that resides in the Shimo VPN helper service, specifically the configureRoutingWithCommand function. The vulnerability requires local access to the machine but could allow an attacker to escalate their privileges to root.  
Detailed vulnerability information can be found here.

TALOS-2018-0675

TALOS-2018-0675 / CVE-2018-4006 is an exploitable privilege escalation vulnerability that resides in the Shimo VPN helper service, specifically the writeConfig functionality. The vulnerability requires local access to the machine but could allow an attacker to escalate their privileges to root.
Detailed vulnerability information can be found here.

TALOS-2018-0676

TALOS-2018-0676 / CVE-2018-4007 is an exploitable privilege escalation vulnerability that resides in the Shimo VPN helper service, specifically the deleteConfig functionality. The vulnerability requires local access to the machine but could allow an attacker to delete any protected file on the system.
Detailed vulnerability information can be found here.

TALOS-2018-0677

TALOS-2018-0677 / CVE-2018-4008 is an exploitable privilege escalation vulnerability that resides in the Shimo VPN helper service, specifically the RunVpncScript command. The vulnerability requires local access to the machine. The command takes a user-supplied script argument and executes it under root context.  
Detailed vulnerability information can be found here.

TALOS-2018-0678

TALOS-2018-0678 / CVE-2018-4009 is an exploitable privilege escalation vulnerability that resides in the Shimo VPN helper service due to improper validation of code signing.  The vulnerability requires local access to the machine but could allow an attacker to escalate their privileges to root.  
Detailed vulnerability information can be found here.

Known Vulnerable Versions

Shimo VPN 4.1.5.1

Coverage

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 47801 - 47804