SaferVPN quietly fixed a DoS vulnerability
The VPN provider SaferVPN has patched a denial of service (DoS) leak in its software after a bug was discovered by a security researcher.
The vulnerability, tracked as CVE-2020-25744, was first disclosed to the company in early September by a security researcher named mmht3t. However, since SaferVPN quietly fixed the bug with the release of version 5.0.3.3 of its VPN client, mmht3t has gone ahead and has the vulnerability in a recent post On Medium.
Versions of the company’s VPN software prior to 5.0.3.3 contain a vulnerability that allows low privilege users to create or overwrite arbitrary files that can be exploited to perform DoS attacks.
According to mmht3t, SaferVPN users have full control over the VPN software’s log folder and can delete all files in it and create a symbolic link pointing to a high permissions file like c: Windows win.ini on their Windows PC . If a user does this, the contents of the log file will be overwritten on the high privilege file.
Lack of recognition
What makes this particularly vulnerable disclosure so interesting is the fact that mmht3t responsibly disclosed the bug found to SaferVPN and was not credited with its discovery.
VPN providers and other companies often create their own bug bounty programs or use platforms such as HackerOne for this. This allows security researchers to be paid for the bugs they find, while also helping them improve their software.
After discovering the bug in SaferVPN’s Windows client, mmht3t sent an email to the company to notify them of the situation and then sent details about the vulnerability upon request. He then tried to contact the company twice and they did not respond on both occasions. Instead, SaferVPN quietly fixed the bug with the release of version 5.0.3.3 of its VPN client. At that point mmht3t decided to disclose the bug that led to the vulnerability being assigned a CVE.
TechRadar Pro has contacted SaferVPN regarding the matter, but we have yet to hear anything at the time of writing.
- We’ve also featured the best VPN services
The post SaferVPN quietly fixed a DoS vulnerability appeared first on WhatsNew2Day.