Alarm raised over Mozilla VPN security flaw

A button with the caption VPN
(Image credit: Shutterstock)

A cybersecurity researcher at SUSE has warned that the Mozilla VPN client for Linux holds a severe vulnerability that could allow threat actors to conduct a wide range of integrity violations.

Matthias Gerstner published an article on the Openwall security mailing list, in which he details a broken authentication check in Mozilla VPN client v2.14.1, released on May 30. 

Threat actors that discover the flaw can use it to set up their own arbitrary VPN, redirect network traffic to (potentially) malicious destinations, and break existing VPN setups.

Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Save 250+ yearly hours on manual configuration. Deploy your entire organization within a single day. Learn why Perimeter 81 is TechRadar's choice for the best Business VPN. Ditch legacy hardware and make the move to the cloud. See how simple it is for yourself.

 Preferred partner (What does this mean?

Multiple integrity violations

Detailing the flaw, Gerstner says that SUSE’s engineers analyzed Mozilla’s VPN client and found that it "contains a privileged D-Bus service running as root and a Polkit policy." Polkit is an authorization API for privileged programs, and as the program’s written now, Polkit is checking if the privileged Mozilla VPN D-Bus service is authorized to perform certain actions, instead of the user. 

"The impact is that arbitrary local users can configure arbitrary VPN setups using Mozilla VPN and thus possibly redirect network traffic to malicious parties, pretend that a secure VPN is present while it actually isn't, perform a denial-of-service against an existing VPN connection or other integrity violations," Gerstner said in his writeup.

SUSE disclosed its findings to Mozilla on May 4, but didn’t hear back from the company. Eight days later, on June 12, the company found the flaw disclosed in a GitHub pull request to the Mozilla VPN repository. 

"We asked upstream once more what their intentions are regarding coordinated disclosure but did not get a proper response," Gerstner explained.

Three months later, as is the usual practice, SUSE publicly disclosed the flaw. It is now being tracked as CVE-2023-4104.

Mozilla is keeping quiet for now, with a representative telling The Register that more information should be available later today. 

Via: The Register

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.