A vulnerability in the Mozilla VPN client for Linux allows attackers to modify the VPN configuration of other users without root permissions.
The Mozilla VPN client for Linux has a vulnerability that enables any user on a system with the client installed to apply arbitrary VPN configurations due to a flaw in authentication checks. Matthias Gerstner, a security engineer at Suse, discovered this security flaw and reportedly informed Mozilla about it on May 4th, according to The Register.
This vulnerability allows malicious actors to manipulate existing VPN setups or establish new ones, potentially rerouting the target system’s network traffic through a specific server where it can be intercepted and analyzed.
Any User Can Modify VPN Configuration As Gerstner explains in a post on Openwall, he was able to trace the security loophole to version 2.14.1 of the Mozilla VPN client. The issue appears to be an inadequately implemented Polkit authorization logic (formerly Policykit) for the privileged process “mozillavpn linuxdaemon”. The code executed within it asks the Polkit authorization service to determine if, instead of the user, the D-Bus service is authorized to change the state of the VPN connection. “Since the D-Bus service of Mozilla VPN runs as root, this will always be the case,” Gerstner notes, regardless of which user initiated the change and what privileges they have.
As a result, an attacker could specifically reroute network traffic and make the user believe they have a secure VPN connection. Additionally, the vulnerability could be used to “execute a denial-of-service against an existing VPN connection or other integrity violations.”
The fact that this security flaw has become public without a patch being available is attributed to questionable communication on Mozilla’s part. Since the SUSE team did not receive a reliable statement for a “coordinated disclosure,” they decided to publish the details of the vulnerability on August 3rd – 90 days after Mozilla was first informed of the issue.
When asked by The Register, a Mozilla spokesperson stated that the exact timeline was uncertain, but the organization is expected to release further information about the security flaw, registered as CVE-2023-4104, on the upcoming Monday.