In a significant development that has raised alarm among cybersecurity experts, the Mozilla VPN client for Linux has been detected to have a critical flaw, as reported by a security engineer at Linux distro maker SUSE.
This vulnerability is present in version 2.14.1 of the client, released on May 30. The risk stems from a broken authentication check, allowing users to exploit the VPN client.
The vulnerability can have a far-reaching impact, as the potential consequences range from the unauthorized configuration of arbitrary VPN setups to redirecting network traffic to external parties.
The existing VPN configurations can break as a result of this impact. This risk seems to be concerning shared information systems involving multiple users.
Online miscreants can exploit this flaw to wreak havoc and compromise sensitive data. Although this flaw seems to be serious, there’s no publicly released fix available to users. This raises questions about the urgency of addressing the issue and the disclosure process.
The vulnerability came to light through a post on the Openwall security mailing list by Matthias Gerstner, who identified a broken authentication check in the Mozilla VPN client.
The flaw is present in the privileged Mozilla VPN Linux daemon process, which contains incorrect authorization logic related to Polkit. Previously, this was known as PolicyKit, and it is an authorization API for privileged programs.
Any User Account Can Access Privileges Without Authentication Check
According to Gerstner, the authentication check wrongly asks Polkit to determine whether the privileged Mozilla VPN D-Bus service is authorized to perform the action rather than the user.
Consequently, the D-Bus service, which operates with root privileges, naturally passes the authorization check. This allows any user account, not considering the privileges, to use it.
The impact is that arbitrary local users can configure arbitrary VPN setups using Mozilla VPN and thus possibly redirect network traffic to malicious parties, pretend that a secure VPN is present while it actually isn’t, perform a denial-of-service against an existing VPN connection or other integrity violationsMatthias Gerstner
Besides, Gerstner raised concerns about the absence of Polkit authorization checks for various other D-Bus methods. These include deactivate(), firewallClear(),runningApps(), cleanupLogs(), and getLogs().
These unauthenticated D-Bus methods allow users to carry out functions that need authentication.
Talking about the disclosure process, Gerstner said that on May 4, the issue was disclosed to Mozilla privately. However, it was not until June 12 that any response was received.
Later, it was discovered that the flaw had been disclosed in a GitHub pull request to the Mozilla VPN repository. Mozilla failed to respond properly, although inquiries were made about coordinated disclosure.
Since 90 days have passed, SUSE decided to publicly disclose the flaw on August 3. Subsequently, Mozilla assigned the CVE-2023-4104 identifier to the issue.
How Does Mozilla Plan To Address The Issue?
In the upcoming 2.16.0 version, Mozilla VPN, considered one of the best VPN services around, has plans to address the vulnerability. They would eliminate the Polkit authentication to fix the flaw.
However, this change still fails to address the unauthenticated D-Bus APIs, which have a potential scope of being misused by local users.
Mozilla further aims to bolster authentication in v2.17.0, which they will release in the next couple of months. After this update, D-Bus callers would require the CAP_NET_ADMIN permission or the UID associated with the user who activated the connection.
Although these fixes have been suggested, Gerstner stated that currently, there is no information on how or when the authorities are likely to address other potential information leaks mentioned in the advisory.
