secuvera-SA-2024-04: Information Disclosure Affected Products CyberGhostVPN Windows Application Version 8.4.3.12823 (older releases have not been tested) References secuvera-SA-2024-04 (not published yet) CVE-Number: CVE-2024-26330 CWE-316: Cleartext Storage of Sensitive Information in Memory CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Summary: CyberGhostVPN is multi-platform VPN application with focus on personal privacy. In an independent test of the Windows client, it was found that the client retains login credentials in memory until restart, even after the user has logged out. In addition, the client's memory contains the login email address. Effect: Attackers who have access to the memory area of the application, e.g. a regular Windows user who creates a memory dump using the Task Manager, can gain knowledge of credentials used to login to CyberGhostVPN. Example: 1. Install CyberGhostVPN Windows Application Version (v8.4.3.12823, downloaded 2024-02-01) 3. Login to CyberGhostVPN using your credentials. 4. Log Out 6. Create a memory dump (used Process Hacker v2.39.124) 7. Search for your login credentials in dump (PowerShell command given) strings64.exe | Select-String 8. Close CyberGhostVPN completely 9. Restart CyberGhostVPN 10. Create a second memory dump 11. Search again for your login credentials in the second dump -> Cannot be found Disclosure Timeline: 2024/02/01 vendor contacted 2024/02/01 vendor responded, stating that attackers with local access are outside of application's threat model 2024/02/01 vendor contacted 2024/02/01 vendor responded, stating that attackers with local access are outside of application's threat model 2024/02/07 issue moved back to new state for another review 2024/03/13 status changed to resolved 2024/05/29 public disclosure Credits: Maximilian Barz mbarz@secuvera.de secuvera GmbH https://www.secuvera.de Disclaimer: All information is provided without warranty. The intent is to provide information to secure infrastructure and/or systems, not to be able to attack or damage. Therefore secuvera shall not be liable for any direct or indirect damages that might be caused by using this information.