Facepalm: Mozilla VPN is a service offering security, reliability, and speed on every device, "everywhere you go." However, if you use SUSE Linux, wherever you go there's a dangerous security flaw in the service's client putting everything at risk.
For the past few months, the Linux version of the Mozilla VPN client has been affected by a dangerous security issue within the software's authentication process. The bug could easily be exploited to do very nasty things with the system and users' accounts, but Mozilla still has to provide a proper fix. The maximum embargo period of 90 days is over, so the developers have now disclosed the full details about the vulnerability.
The flaw was discovered because an openSUSE community packager wanted to add the Mozilla VPN client to the openSUSE Tumbleweed Linux distro, the advisory says. The SUSE security team reviewed the application, discovering that the program contains a "privileged D-Bus service running as root and a Polkit policy." Furthermore, the Mozilla VPN client lacks proper Polkit authorization logic in the privileged 'mozillavpn linuxdaemon' process.
As explained by The Register, Polkit is an authorization API used to manage programs' access privileges. Mozilla VPN's authentication process is designed to ask Polkit to determine whether the privileged Mozilla VPN D-Bus service is authorized to perform the action instead of the user. But the D-Bus service is always running as a root, so the authorization check is always positive.
SUSE security experts say that the vulnerability could be exploited by local, malicious users to configure "arbitrary" VPN setups using the Mozilla VPN service. They could possibly "redirect network traffic to malicious parties," the advisory warns, pretend that a secure VPN is present while it actually isn't, perform a denial-of-service attack against an existing VPN connection, or "other integrity violations."
The existing Polkit authentication check is flawed, the advisory continues, but Mozilla didn't even bother to attempt to secure any of the other D-Bus authentication methods offered by its VPN client. The issue was privately disclosed in May, and SUSE security experts asked Mozilla what their intentions were regarding a "coordinated disclosure" of the bug.
The team didn't get a proper response, so they disclosed everything for the public to see. Mozilla has now assigned the issue a CVE-2023-4104 tracking code, while plans are already in motion to change the authentication process in the VPN client. Mozilla developers plan to stop using Polkit authentication altogether starting from the 2.16.0 release of the program, while improved security for the D-Bus root daemon is expected to arrive with the future 2.17.0 release.
Update: A Mozilla spokesperson contacted us with the following message regarding this story: "We acknowledge that our communication regarding this bug report could have been more precise, given our commitment to be responsive and collaborative partners. We have been working to implement improvements to address the issue, and as a result, will advance the timing of this fix in a special release of 2.16.1 for Linux on August 11th, 2023."