A SUSE security engineer has disclosed a vulnerability within the Linux version of Mozilla’s VPN client. The flaw was revealed due to complications during the disclosure process, leaving it unresolved in a public update.
In an update shared on the Openwall security mailing list, Matthias Gerstner detailed an authentication issue in the Mozilla VPN client version 2.14.1, launched on May 30. This flaw could allow users to manipulate the VPN settings, diverting network traffic or disrupting current VPN connections. Such vulnerabilities are especially problematic on computers accessed by multiple users.
Gerstner’s team stumbled upon this issue when openSUSE Tumbleweed, a Linux variant, intended to integrate the Mozilla VPN client. As part of SUSE’s standard vetting procedures, the security unit discovered a significant flaw concerning a “privileged D-Bus service operating as root, coupled with a Polkit policy.”
Polkit, once known as PolicyKit, is a crucial tool for granting program permissions. It was noticed that the authorization procedure for the VPN’s privileged process was faulty. Gerstner noted that the flawed implementation made the system check permissions for the VPN D-Bus service instead of the user. Since this service functions with elevated rights, it invariably gives a green signal, enabling any user to proceed.
He highlighted the absence of Polkit checks for numerous other functions, such as getting logs or deactivating the VPN. For instance, allowing any user to turn off another’s VPN connection presents a glaring security loophole.
Polkit itself had recently been spotlighted for a security hitch. However, the Mozilla VPN issue is about something other than the tool but instead its incorrect usage. What stands out in this scenario is the disclosure’s mismanagement.
Gerstner shared that Mozilla was informed about this privately on May 4. Yet, SUSE remained in the dark until June 12, only finding out when the issue was made public via a GitHub request for the VPN’s repository. Despite a lack of communication, SUSE chose to wait for a 90-day window, ending on August 3, before going public. The vulnerability has since been labeled CVE-2023-4104 by Mozilla.
While Mozilla VPN is set to ditch Polkit authentication in its upcoming version 2.16.0, this won’t alter the fact that its D-Bus interfaces remain unsecured. However, enhanced security measures are anticipated in version 2.17.0. It will necessitate the D-Bus requester to possess the CAP_NET_ADMIN rights or be the UID linked with the user who initiated the connection. This update is slated for release in a couple of months.
As for the other exposed security flaws mentioned, no updates on potential resolutions have been provided. When reached out for a statement, a representative from Mozilla said they might have more to share by Monday.