The Windows client of CyberGhost VPN older than version 8.3.10.10015 is vulnerable to a flaw that could allow attackers to perform command line injection and escalate their privileges on the impacted system.
According to a report by the security researcher who discovered the flaw, a specially crafted JSON payload sent to the CyberGhost RPC service during the launch of the OpenVPN process can lead to complete system compromise.
Users of the popular VPN software are recommended to upgrade to client version 8.3.10.10015 or later, released on February 24, 2023, to address the problem.
Vulnerability Details
The CyberGhost VPN client vulnerability (CVE-2023-30237) is an elevation of privilege issue that allowed attackers to inject malicious command lines using a crafted JSON payload.
By exploiting the RPC service, which was intended to only accept requests from the same process, attackers could bypass the process origin check, manipulate the communication protocol, and gain complete system control through OpenVPN’s plugin feature.
The “Pen Test Partners” researchers explain that despite CyberGhost’s developers implementing various protections, such as ensuring the named pipe isn’t accessible over the network and correctly configuring JsonSerializer to prevent arbitrary .NET type creation, it is still possible to exploit the vulnerability by cleverly crafting the payload and manipulating command line arguments, leading to successfully bypassing existing protections.
The point of failure lies in the developers overlooking some nuances of the CommandLineToArgvW API while constructing the command line string argument. By exploiting this oversight, the researchers could craft a payload that embeds a
Read more