A cybersecurity researcher at SUSE has warned that the Mozilla VPN client for Linux holds a severe vulnerability that could allow threat actors to conduct a wide range of integrity violations.
Matthias Gerstner published an article on the Openwall security mailing list, in which he details a broken authentication check in Mozilla VPN client v2.14.1, released on May 30.
Threat actors that discover the flaw can use it to set up their own arbitrary VPN, redirect network traffic to (potentially) malicious destinations, and break existing VPN setups.
Multiple integrity violations
Detailing the flaw, Gerstner says that SUSE’s engineers analyzed Mozilla’s VPN client and found that it “contains a privileged D-Bus service running as root and a Polkit policy.” Polkit is an authorization API for privileged programs, and as the program’s written now, Polkit is checking if the privileged Mozilla VPN D-Bus service is authorized to perform certain actions, instead of the user.
“The impact is that arbitrary local users can configure arbitrary VPN setups using Mozilla VPN and thus possibly redirect network traffic to malicious parties, pretend that a secure VPN is present while it actually isn’t, perform a denial-of-service against an existing VPN connection or other integrity violations,” Gerstner said in his writeup.
SUSE disclosed its findings to Mozilla on May 4, but didn’t hear back from the company. Eight days later, on June 12, the company found the flaw disclosed in a GitHub pull request to the Mozilla VPN repository.
“We asked upstream once more what their intentions are regarding coordinated disclosure but did not get a proper response,” Gerstner explained.
Three months later, as is the usual practice, SUSE publicly disclosed the flaw. It is now being tracked as CVE-2023-4104.
Mozilla is keeping quiet for now, with a representative telling The Register that more information should be available later today.
Via: The Register