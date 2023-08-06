Countries
Close
English English Portuguese Português (PT/BR) 한국어 Korean 한국어
Alarm Raised Over Flaw in Mozilla VPN Client Allowing Unauthorized Exploitation
News

Alarm Raised Over Flaw in Mozilla VPN Client Allowing Unauthorized Exploitation

Krishi Chowdhary Journalist
Updated:

Mozilla VPN

In a significant development that has raised alarm among cybersecurity experts, the Mozilla VPN client for Linux has been detected to have a critical flaw, as reported by a security engineer at Linux distro maker SUSE.

This vulnerability is present in version 2.14.1 of the client, released on May 30. The risk stems from a broken authentication check, allowing users to exploit the VPN client.

The vulnerability can have a far-reaching impact, as the potential consequences range from the unauthorized configuration of arbitrary VPN setups to redirecting network traffic to external parties.

The existing VPN configurations can break as a result of this impact. This risk seems to be concerning shared information systems involving multiple users.

Online miscreants can exploit this flaw to wreak havoc and compromise sensitive data. Although this flaw seems to be serious, there’s no publicly released fix available to users. This raises questions about the urgency of addressing the issue and the disclosure process.

The vulnerability came to light through a post on the Openwall security mailing list by Matthias Gerstner, who identified a broken authentication check in the Mozilla VPN client.

The flaw is present in the privileged Mozilla VPN Linux daemon process, which contains incorrect authorization logic related to Polkit. Previously, this was known as PolicyKit, and it is an authorization API for privileged programs.

Any User Account Can Access Privileges Without Authentication Check

According to Gerstner, the authentication check wrongly asks Polkit to determine whether the privileged Mozilla VPN D-Bus service is authorized to perform the action rather than the user.

Consequently, the D-Bus service, which operates with root privileges, naturally passes the authorization check. This allows any user account, not considering the privileges, to use it.

The impact is that arbitrary local users can configure arbitrary VPN setups using Mozilla VPN and thus possibly redirect network traffic to malicious parties, pretend that a secure VPN is present while it actually isn’t, perform a denial-of-service against an existing VPN connection or other integrity violationsMatthias Gerstner

Besides, Gerstner raised concerns about the absence of Polkit authorization checks for various other D-Bus methods. These include deactivate(), firewallClear(),runningApps(), cleanupLogs(), and getLogs().

These unauthenticated D-Bus methods allow users to carry out functions that need authentication.

Talking about the disclosure process, Gerstner said that on May 4, the issue was disclosed to Mozilla privately. However, it was not until June 12 that any response was received.

Later, it was discovered that the flaw had been disclosed in a GitHub pull request to the Mozilla VPN repository. Mozilla failed to respond properly, although inquiries were made about coordinated disclosure.

Since 90 days have passed, SUSE decided to publicly disclose the flaw on August 3. Subsequently, Mozilla assigned the CVE-2023-4104 identifier to the issue.

How Does Mozilla Plan To Address The Issue?

In the upcoming 2.16.0 version, Mozilla VPN, considered one of the best VPN services around, has plans to address the vulnerability. They would eliminate the Polkit authentication to fix the flaw.

However, this change still fails to address the unauthenticated D-Bus APIs, which have a potential scope of being misused by local users.

Mozilla further aims to bolster authentication in v2.17.0, which they will release in the next couple of months. After this update, D-Bus callers would require the CAP_NET_ADMIN permission or the UID associated with the user who activated the connection.

Although these fixes have been suggested, Gerstner stated that currently, there is no information on how or when the authorities are likely to address other potential information leaks mentioned in the advisory.

Krishi Chowdhary Journalist

Krishi Chowdhary Journalist

Krishi is an eager Tech Journalist and content writer for both B2B and B2C, with a focus on making the process of purchasing software easier for businesses and enhancing their online presence and SEO.

Krishi has a special skill set in writing about technology news, creating educational content on customer relationship management (CRM) software, and recommending project management tools that can help small businesses increase their revenue.

Alongside his writing and blogging work, Krishi's other hobbies include studying the financial markets and cricket.

Most Popular News

1 Alarm Raised Over Flaw in Mozilla VPN Client Allowing Unauthorized Exploitation
2 Trader Highlights Potential Retracement for XRP Below $0.50
3 45 Fascinating Lawyer Statistics and Facts for 2023
4 Agile Statistics: How Many Companies Use Agile in 2023?
5 LetMeSpy Ceases Operations Following Major Cyber Attack

Latest News

XRP
Crypto News

Trader Highlights Potential Retracement for XRP Below $0.50

Damien Fisher
Impressive Lawyer Statistics and Facts in 2022
Statistics

45 Fascinating Lawyer Statistics and Facts for 2023

Jeff Beckman

The law profession is among the most esteemed jobs worldwide, as revealed by statistics. However, it has been misconceived due to the supposed attraction to corruption, dishonesty, and bribery when...

Agile Usage Statistics at A Glance
Statistics

Agile Statistics: How Many Companies Use Agile in 2023?

Jeff Beckman

Did you know that at least 71% of U.S. companies use Agile? Agile Methodology is a popular approach that enables users to resolve business issues by breaking projects into multiple...

LetMeSpy Ceases Operations Following Major Cyber Attack
News

LetMeSpy Ceases Operations Following Major Cyber Attack

Krishi Chowdhary
Critical Diversity in High-tech Stats
Statistics

30+ Diversity in High Tech Statistics [2023 Data]

Susan Laborde
USDC
Crypto News

Analysts Say That USDC and Stablecoins May Have a Problem with The U.S. Defense Bill

Damien Fisher
Apple Hints At a Lip-Reading Siri To Revamp Speech Recognition
News

Apple Hints At a Lip-Reading Siri To Revamp Speech Recognition

Krishi Chowdhary

REGULATION & HIGH RISK INVESTMENT WARNING: Trading Forex, CFDs and Cryptocurrencies is highly speculative, carries a level of risk and may not be suitable for all investors. You may lose some or all of your invested capital, therefore you should not speculate with capital that you cannot afford to lose. The content on this site should not be considered investment advice. Investing is speculative. When investing your capital is at risk. Please note that we do receive advertising fees for directing users to open an account with the brokers/advertisers and/or for driving traffic to the advertiser website

© Copyright 2023 Techreport. All Rights Reserved.