Mozilla VPN Vulnerability: A Closer Look
The broken authentication check in Mozilla VPN version 2.14.1 was first identified when the openSUSE community manager sought to include the client in their Linux distribution. The SUSE security team discovered a privileged D-Bus service running as root with incorrect authorization logic. This flaw allowed the D-Bus call to work for any user account, regardless of their privileges, leading to potential malicious activities.
The consequences of this vulnerability are severe. Arbitrary local users can configure unauthorized VPN setups, mislead users into believing a secure VPN connection is in place when it is not, launch denial-of-service attacks on existing VPN connections, and perpetrate other integrity violations.
The flaw was privately disclosed to Mozilla on May 4 but received no response until June 12 when it was disclosed in a GitHub pull request. SUSE’s security team, after 90 days of waiting, posted publicly about the flaw on August 3. Mozilla assigned CVE-2023-4104 to this vulnerability and intends to eliminate Polkit authentication in the upcoming v2.16.0 release. However, the flaw persists since various D-Bus methods remain unauthenticated and accessible by any local user.