Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,491
- Points
- 113
The bug turns the Linux security system into a tool for stealing data.
Security experts at SUSE have discovered a critical vulnerability in the Mozilla VPN 2.14.1 client for Linux. The issue allows any user on the system to set up their own VPN connection, redirect network traffic, and break existing VPN settings, which is especially dangerous on computers with multiple users.
The vulnerability was discovered during a security audit when the SUSE team decided to add the Mozilla VPN client to the openSUSE Tumbleweed Linux distribution. During a routine security check, the team discovered that the VPN service contained a privileged D-Bus service running as root and a Polkit policy (an authorization API for privileged programs).
They note that due to the way the authentication check is written, to perform the action, the code asks Polkit to determine if the privileged D-Bus Mozilla VPN service is authorized, and not the user. Because the D-Bus service runs as root, the authorization check always returns true. This means that a D-Bus call will work for any user account, regardless of privileges.
In the context of a vulnerability in the Mozilla VPN client for Linux, the D-Bus service is used to process VPN connection requests and other related operations. The problem is that the service was configured incorrectly, allowing any user on the system to perform actions that would normally require administrator privileges.
The issue was privately disclosed to Mozilla on May 4, but SUSE did not receive any further information until June 12, when it learned that the vulnerability had been disclosed in a pull request to the Mozilla VPN GitHub repository.
The vulnerability has been assigned the identifier CVE-2023-4104 . A Mozilla spokesperson said the organization plans to share more information soon. Mozilla VPN users on Linux should be aware of this vulnerability and stay tuned to install the patch as soon as it becomes available.
Security experts at SUSE have discovered a critical vulnerability in the Mozilla VPN 2.14.1 client for Linux. The issue allows any user on the system to set up their own VPN connection, redirect network traffic, and break existing VPN settings, which is especially dangerous on computers with multiple users.
The vulnerability was discovered during a security audit when the SUSE team decided to add the Mozilla VPN client to the openSUSE Tumbleweed Linux distribution. During a routine security check, the team discovered that the VPN service contained a privileged D-Bus service running as root and a Polkit policy (an authorization API for privileged programs).
They note that due to the way the authentication check is written, to perform the action, the code asks Polkit to determine if the privileged D-Bus Mozilla VPN service is authorized, and not the user. Because the D-Bus service runs as root, the authorization check always returns true. This means that a D-Bus call will work for any user account, regardless of privileges.
In the context of a vulnerability in the Mozilla VPN client for Linux, the D-Bus service is used to process VPN connection requests and other related operations. The problem is that the service was configured incorrectly, allowing any user on the system to perform actions that would normally require administrator privileges.
The issue was privately disclosed to Mozilla on May 4, but SUSE did not receive any further information until June 12, when it learned that the vulnerability had been disclosed in a pull request to the Mozilla VPN GitHub repository.
The vulnerability has been assigned the identifier CVE-2023-4104 . A Mozilla spokesperson said the organization plans to share more information soon. Mozilla VPN users on Linux should be aware of this vulnerability and stay tuned to install the patch as soon as it becomes available.
