CyberGhost VPN has released a patch for a command line injection vulnerability that threatened the security of millions of users of its Windows app.
In a blog post on May 5 2023, Ceri Coburn, a cybersecurity researcher who discovered the bug, shed light on the vulnerability and revealed that bug bounty firm Bugcrowd bullied him for attempting to report the bug directly to Kape Technologies, CyberGhost’s parent company.
“Suffice to say, it was the worst disclosure experience I have witnessed to date,” Coburn wrote.
The CyberGhost Windows client vulnerability — filed as CVE-2023-30237 — can lead to “full system compromise,” Coburn said. Version 8.3.10.10015 of the CyberGhost app, released on Feb. 24, contains a patch for the bug.
About 3 Million Users Affected
Coburn, who works with UK-based cybersecurity company Pen Test Partners (PTP), said the flaw affected about three million users of the CyberGhost VPN Windows app.
According to Coburn, the command line vulnerability allowed unauthorized parties to compromise a device when users attempted to connect to a server via WireGuard or OpenVPN. It “leverages openvpn’s [sic] plugin feature to gain code execution,” he said.
“A specifically crafted JSON payload sent to the CyberGhost RPC service can lead to command line injection when the OpenVPN process is launched, leading to full system compromise,” Coburn explained in a blog post.
This is a DLL (windows system file) injection technique commonly used by hackers to execute malicious code in a running system process. This technique allows cybercriminals to hijack a system and remain unnoticed for a long time.
It’s unclear if threat actors are actively exploiting this flaw.
In light of his unpleasant experience with Bugcrowd, Coburn called for a change in the way security researchers report vulnerabilities to software vendors.
“I just wish that software vendors would offer direct disclosure routes in addition to bug bounty platforms,” he said. “Some researchers would prefer the direct approach.”
In an email to VPNOverview, a spokesperson for CyberGhost described Coburn’s experience as “unfortunate,” adding that it is an “isolated incident with Bugcrowd and is not reflective of either CyberGhost or BugCrowd’s standards.”
CyberGhost launched its bug bounty program in 2022 to collaborate with independent researchers to improve its service.
“We value collaboration and cooperation with security researchers throughout the world, and we invest heavily in ensuring security researchers are heard and that the lines or communication with our security and development teams are always open,” the CyberGhost spokesperson said. “We are sorry that the researcher had this experience with us on Bugcrowd and we are following up with the relevant parties at Bugcrowd so this doesn’t happen again.”
Looking for a good alternative to CyberGhost?
Surfshark is a high-quality provider with a good reputation. If you want to try them out, check out Surfshark’s special discount deal with a 30 day money-back-guarantee!
Keeping Your System Safe
Like other software products, VPNs have seen their fair share of vulnerabilities. In May 2022, North Korean state-backed hackers exploited a VPN flaw to break into the systems of the South Korean Atomic Energy Institute.
VPN providers generally release security patches quickly to fix vulnerabilities and protect users. If you’re using CyberGhost, we recommend updating your app to the latest version. It’s advisable to keep all the apps on your devices up-to-date and practice proper cyber hygiene to stay safe online.
CyberGhost said it would continue to work with its engineers and the “wider security community” to identify and mitigate threats. Additionally, “our applications will be subject to stringent reviews by our security team going forward,” the CyberGhost spokesperson added.
For answers to questions about the security of CyberGhost VPN, check out our comprehensive review of CyberGhost.