Alarm raised over Mozilla VPN security flaw

Apparent Mozilla VPN flaw allows threat actors to conduct a myriad of malicious activities

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A cybersecurity researcher at SUSE has warned that the MozillaVPNclient for Linux holds a severe vulnerability that could allow threat actors to conduct a wide range of integrity violations.

Matthias Gerstner published an article on the Openwall security mailing list, in which he details a broken authentication check in Mozilla VPN client v2.14.1, released on May 30.

Threat actors that discover the flaw can use it to set up their own arbitrary VPN, redirect network traffic to (potentially) malicious destinations, and break existing VPN setups.

Reader Offer: $50 Amazon gift card with demoSave 250+ yearly hours on manual configuration. Deploy your entire organization within a single day. Learn why Perimeter 81 is TechRadar’s choice for the best Business VPN. Ditch legacy hardware and make the move to the cloud. See how simple it is for yourself.

Preferred partner (What does this mean?)

Multiple integrity violations

Detailing the flaw, Gerstner says that SUSE’s engineers analyzed Mozilla’s VPN client and found that it “contains a privileged D-Bus service running as root and a Polkit policy.” Polkit is an authorization API for privileged programs, and as the program’s written now, Polkit is checking if the privileged Mozilla VPN D-Bus service is authorized to perform certain actions, instead of the user.

“The impact is that arbitrary local users can configure arbitrary VPN setups using Mozilla VPN and thus possibly redirect network traffic to malicious parties, pretend that a secure VPN is present while it actually isn’t, perform a denial-of-service against an existing VPN connection or other integrity violations,” Gerstner said in his writeup.

Cisco finally patches months-old VPN security flaw>Zero-day VPN software flaw exploited by APT hackers>These are the best business VPNs right now

SUSE disclosed its findings to Mozilla on May 4, but didn’t hear back from the company. Eight days later, on June 12, the company found the flaw disclosed in a GitHub pull request to the Mozilla VPN repository.

“We asked upstream once more what their intentions are regarding coordinated disclosure but did not get a proper response,” Gerstner explained.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Three months later, as is the usual practice, SUSE publicly disclosed the flaw. It is now being tracked as CVE-2023-4104.

Mozilla is keeping quiet for now, with a representative telling The Register that more information should be available later today.

Via:The Register

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

3 reasons why PIA fell in our best VPN rankings

Is it still worth using Proton VPN Free?

Quordle today – hints and answers for Saturday, November 9 (game #1020)