Popular virtual private network solution provider CyberGhost VPN has patched a recently discovered command injection vulnerability which exposed its Windows users’ systems to potential compromise.
Adding intrigue to the bug's discovery is the pains the researcher who discovered the vulnerability went through to disclose the flaw. The researchers, Ceri Coburn of UK-based security research firm Pen Test Partners, found the bug and said he felt bullied during the disclosure process with bug bounty firm Bugcrowd and the vendor.
In a blog post, Coburn said the CyberGhost VPN client is susceptible to an elevation of privilege vulnerability. Coburn says the vulnerability is filed under CVE-2023-30237, which is yet to be published. He said that the flaw impacts approximately 3 million CyberGhost customers. On its website, CyberGhost says it has over 38 million users.
The latest 188.8.131.5215 version of CyberGhost, released on the 24 February 2023 fixes this issue, according to the VPN company. It's unclear if the patch was pushed to endpoints running previous versions of the software or if customers need to update instances of the software themselves. Updates to the latest version of CyberGhost can be downloaded here.
As for the vulnerability Coburn described it as: “A specially crafted JSON payload sent to the CyberGhost RPC (remote procedure call) service can lead to command line injection when the OpenVPN process is launched, leading to full system compromise."
Bumpy bug reporting
Coburn said he had previously reported a separate CyberGhost issue to Bugcrowd, one of the largest bug bounty and vulnerability disclosure companies. That issue was deemed to be a configuration problem, which was subsequently fixed, rather than a security issue.
“So, we at PTP (Pen Test Partners) decided to commission further dedicated research into the CyberGhost client itself. After several days of poking around, a command line injection vulnerability was found. Now some, reading this, might conclude that this was a form of retaliation. To some degree, it was, but not because of missing out on a bounty, I had no interest in that. It was more to do with how the original case was handled and how this affected an ongoing [PTP] Red Team operation. Therefore, I had no intention whatsoever of reporting this new vulnerability via Bugcrowd.”
On January 3 this year, Coburn attempted to report the new vulnerability directly to CyberGhost, beginning what he says was “the worst disclosure experience” he has ever experienced.
CyberGhost’s support desk referred him to Kape, a digital security software provider who Coburn said “appeared to be the developers behind several well-known consumer VPN products”.
The next day he received an email from Kape saying they had “already covered my concerns via Bugcrowd. Kape had recognized my name from the [previous] Bugcrowd report and assumed it was the same vulnerability”.
“After explaining to Kape that this is nothing to do with the original disclosure, they still insisted that I submit via Bugcrowd. Multiple emails later, as I was clearly getting nowhere, I decided to submit the technical details directly to [Kape] since there were humans monitoring this mailbox.”
"Breached" platform penalty box
That resulted in an email from Bugcrowd telling him he had breached their platform behavior standards by sending an “out of band contact” to Kape. The email said Coburn had been issued a point under a system for tracking researchers who violate Bugcrowd’s rules and code of conduct.
“After several rounds of communication with Bugcrowd and explaining my rationale, eventually my code of conduct point was deducted with an apology.”
Kape then moved swiftly to fix the bug, he said.
“I just wish that software vendors would offer direct disclosure routes in addition to bug bounty platforms. Some researchers would prefer the direct approach.”
In a statement from Kape published in Coburn’s post, the company said it was working with Bugcrowd to prevent similar miscommunications happening in the future.
“Kape values collaboration and cooperation with security researchers throughout the world, and we invest heavily in ensuring security researchers are heard and that the lines of communication with our security and development teams are always open.”
The disclosure of the vulnerability by Coburn was on January 3, 2023 to CyberGhost. The next day CyberGhost erroneously stated it had already addressed the bug. On March 1, CyberGhost said it was "in the process of rolling out the fix," according to Coburn's blog. On March 20, CyberGhost said "the fix was released on the 24th February 2023," according to Coburn.
Breaking down the bug: CVE-2023-30237
The vulnerability, and subsequent proof-of-concept exploit, relies on how CyberGhost parsed data using the native Windows API "CommandLineToArgvW" used in tandem with OpenVPN or Wireguard processes.
"Like many VPN providers, CyberGhost software uses solutions such as OpenVPN or Wireguard to offer VPN services to their customers. Most of these VPN solutions are typically split across an unprivileged UI component that communicates with a privileged Windows service running as SYSTEM. If it’s not fully scrutinized it can lead to elevation of privilege vulnerabilities via this communications channel," the researcher wrote.
When a connection request is made by CyberGhost, similar to other VPN services, to connect to a configured city or country via an unprivileged user interface, the details or data are sent to the backed service (MachineNameCyberGhost8Service) and a process (openvpn.exe or the wireguard DLL) is started to establish the underlying VPN connection, according to the post.
"There are several openvpn command line arguments that can be used to execute other processes or load arbitrary DLL’s such as the –plugin argument," he wrote.
"The exploit leverages openvpn’s plugin feature to gain code execution, therefore a simple plugin was written that queried the –remote argument and treated this as a command to execute instead," Coburn wrote.