Home » » SaferVPN silently fixed a DoS vulnerability

SaferVPN silently fixed a DoS vulnerability

No comments

The VPN provider SaferVPN has patched a denial of service (DoS) vulnerability in its software after a bug was discovered by a security researcher.

The vulnerability, tracked as CVE-2020-25744, was first disclosed to the company at the beginning of September by a security researcher who goes by the handle mmht3t. However, as SaferVPN silently fixed the bug with the release of version 5.0.3.3 of its VPN client, mmht3t has gone ahead and publicly disclosed the vulnerability in a recent post on Medium.

Versions of the company's VPN software before 5.0.3.3 contain a vulnerability that could allow low-privileged users to create or overwrite arbitrary files which could be exploited to launch DoS attacks.

According to mmht3t, SaferVPN users have full control over the VPN software's log folder and they can delete all of the files contained within it and create a symbolic link pointing to a high privileged file such as c:\Windows\win.ini on their Windows PC. If a user does this, the contents of the log file will be overwritten on the high privileged file.

Lack of recognition

What makes this particularly vulnerability disclosure so interesting is the fact that mmht3t responsibly disclosed the bug he found to SaferVPN and was not credited for his discovery.

VPN providers and other companies often create their own bug bounty programs or use platforms like HackerOne to do so. This allows security researchers to get paid for the bugs they find while also helping them to improve their software.

After discovering the bug in SaferVPN's Windows client, mmht3t emailed the company to inform them of the situation and then sent details about the vulnerability when requested. However, he then tried to follow up with the company twice and they did not respond on both occasions. Instead SaferVPN quietly patched the bug with the release of  version 5.0.3.3 of its VPN client. It was then that mmht3t decided to publicly disclose the bug which led to the vulnerability being assigned a CVE.

TechRadar Pro has reached out to SaferVPN in regard to the matter but we've yet to hear back at the time of writing.

  • We've also highlighted the best VPN services


from TechRadar - All the latest technology news https://ift.tt/3hVY5Zh
Share:

No comments:

Post a Comment

Categories

Rove Reviews Youtube Channel

  1. Subscribe to our youtube channel
  2. Like our videos and share them too.
  3. Our youtube channel name Rove reviews.

WITNUX

This website is made by Witnux LLC. This website provides you with all the news feeds related to technology from large tech media industries like GSM Arena, NDTV, Gadgets 360, Firstpost and many other such ates altogether at technical depicts so that you need not go to several sites to view their post provide you advantantage of time.

From the developer
Tanzeel Sarwar

OUR OTHER NETWORKS

OUR YOUTUBE CHANNEL

ROVE REVIEWS PLEASE SUBSCRIBE

OUR FACEBOOK PAGE

The Rove Reviews

Support

Trying our best to provide you the best DONATE or SUPPORTour site Contact me with details how are you gonna help us