SUSE Engineer Exposes Security Loophole in Mozilla VPN for Linux

Reading Time: ( Word Count: )

August 5, 2023
Nextdoorsec-course

A SUSE security engineer has disclosed a vulnerability within the Linux version of Mozilla’s VPN client. The flaw was revealed due to complications during the disclosure process, leaving it unresolved in a public update.

In an update shared on the Openwall security mailing list, Matthias Gerstner detailed an authentication issue in the Mozilla VPN client version 2.14.1, launched on May 30. This flaw could allow users to manipulate the VPN settings, diverting network traffic or disrupting current VPN connections. Such vulnerabilities are especially problematic on computers accessed by multiple users.

Gerstner’s team stumbled upon this issue when openSUSE Tumbleweed, a Linux variant, intended to integrate the Mozilla VPN client. As part of SUSE’s standard vetting procedures, the security unit discovered a significant flaw concerning a “privileged D-Bus service operating as root, coupled with a Polkit policy.”

Also Read: A Rise in Cyber Threats: Sporting Events in the Crosshairs

Polkit, once known as PolicyKit, is a crucial tool for granting program permissions. It was noticed that the authorization procedure for the VPN’s privileged process was faulty. Gerstner noted that the flawed implementation made the system check permissions for the VPN D-Bus service instead of the user. Since this service functions with elevated rights, it invariably gives a green signal, enabling any user to proceed.

SUSE Engineer Exposes Security Loophole in Mozilla VPN

He highlighted the absence of Polkit checks for numerous other functions, such as getting logs or deactivating the VPN. For instance, allowing any user to turn off another’s VPN connection presents a glaring security loophole.

Polkit itself had recently been spotlighted for a security hitch. However, the Mozilla VPN issue is about something other than the tool but instead its incorrect usage. What stands out in this scenario is the disclosure’s mismanagement.

Gerstner shared that Mozilla was informed about this privately on May 4. Yet, SUSE remained in the dark until June 12, only finding out when the issue was made public via a GitHub request for the VPN’s repository. Despite a lack of communication, SUSE chose to wait for a 90-day window, ending on August 3, before going public. The vulnerability has since been labeled CVE-2023-4104 by Mozilla.

While Mozilla VPN is set to ditch Polkit authentication in its upcoming version 2.16.0, this won’t alter the fact that its D-Bus interfaces remain unsecured. However, enhanced security measures are anticipated in version 2.17.0. It will necessitate the D-Bus requester to possess the CAP_NET_ADMIN rights or be the UID linked with the user who initiated the connection. This update is slated for release in a couple of months.

As for the other exposed security flaws mentioned, no updates on potential resolutions have been provided. When reached out for a statement, a representative from Mozilla said they might have more to share by Monday.

Saher

Saher

Author

Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

Amazon Mistakenly Sends Out Gift Card Confirmations

Amazon Mistakenly Sends Out Gift Card Confirmations

Amazon unintentionally dispatched purchase confirmation emails regarding Hotels.com, Google Play, and Mastercard ...
FBI Flags Escalating Trend of Paired Ransomware Threats

FBI Flags Escalating Trend of Paired Ransomware Threats

The U.S. Federal Bureau of Investigation (FBI) has issued an alert regarding a rising trend of dual ransomware ...
Unraveling the Mystery Behind Discord’s Recent Block Message

Unraveling the Mystery Behind Discord’s Recent Block Message

Users of the renowned communication tool Discord were taken aback today when they were greeted with an alarming ...
Best Phishing Tools for Ethical Hacking in 2023

Best Phishing Tools for Ethical Hacking in 2023

Phishing is one of the most prevalent cyber threats today, seeking to exploit human vulnerabilities rather than ...
0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *