Security News > 2023 > August > Alarm raised over Mozilla VPN: Wonky authorization check lets users cause havoc

A security engineer at Linux distro maker SUSE has published an advisory for a flaw in the Mozilla VPN client for Linux that has yet to be addressed in a publicly released fix because the disclosure process went off the rails.

In a post to the Openwall security mailing list, Matthias Gerstner describes a broken authentication check in Mozilla VPN client v2.14.1, released on May 30.

Essentially, the client can be exploited by any user on a system to, among other things, configure their own arbitrary VPN setup, redirect network traffic to outside parties, and break existing VPN setups.

Mozilla ups its VPN game - and the price - with split tunneling for Android, iOS Mozilla so sorry for intrusive Firefox VPN popup ad Mozilla VPN now nudges users to put shields up on dodgy networks, adds LAN access Mozilla unveils $4.99/month subscription-based VPN, says it won't hang onto user logs.

"The impact is that arbitrary local users can configure arbitrary VPN setups using Mozilla VPN and thus possibly redirect network traffic to malicious parties, pretend that a secure VPN is present while it actually isn't, perform a denial-of-service against an existing VPN connection or other integrity violations," said Gerstner.

According to Gerstner, the issue was privately disclosed to Mozilla on May 4, and SUSE heard nothing further until June 12, when its security team learned the flaw had been disclosed in a GitHub pull request to the Mozilla VPN repo.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/08/04/mozilla_vpn_linux_flaw/