The Mozilla VPN client for Linux appears to have a vulnerability that allows any user to apply arbitrary VPN configurations to a system where the client is installed due to a faulty authentication check. The vulnerability was discovered by Matthias Gerstner, a security engineer at Suse who identified the problem in a Report by The Register reported to Mozilla as early as May 4th.
This makes it possible for malicious actors to manipulate existing VPN setups or set up new setups and thus redirect the network traffic of the target system via a specific server, for example, where it can then be intercepted and analyzed.
Any user can change VPN configuration
Like Gerstner in one Post on Openwall explained, he was able to reproduce the security gap using version 2.14.1 of the Mozilla VPN client. The cause is an insufficiently implemented Polkit authorization logic (formerly Policykit) for the privileged process “mozillavpn linuxdaemon”. Thus, the code it executes asks the Polkit Authorization Service to determine if the D-Bus service, rather than the user, is authorized to change the state of the VPN connection. “Since Mozilla VPN’s D-Bus service runs as root, this will always be the case”, according to Gerstner. This is independent of which user initiated the change and what privileges he has.
This allows an attacker to redirect network traffic in a targeted manner and at the same time make the user believe that there is a secure VPN connection. In addition, the vulnerability makes it possible “a denial of service against an existing VPN connection or other integrity violations” to perform.
90 days later still no patch in sight
The fact that the vulnerability has now become public without a patch being available is said to be due to questionable communication from Mozilla. Since the SUSE team has no reliable statement for a “coordinated disclosure” received, it finally decided to publish the details of the vulnerability on August 3 – 90 days after Mozilla was first notified of the problem.
When asked by The Register, a Mozilla spokesman is said to have stated that although the exact date is uncertain, the organization is expected to provide further information on the vulnerability registered as CVE-2023-4104 next Monday.