Discover Cryptography News
Alarm Raised Over Mozilla VPN: Wonky Authorization Check Lets Users Cause Havoc
A security engineer at Linux distro maker SUSE has published an advisory for a flaw in the Mozilla VPN client for Linux that has yet to be addressed in a publicly released fix because the disclosure process went off the rails.
Essentially, the client can be exploited by any user on a system to, among other things, configure their own arbitrary VPN setup, redirect network traffic to outside parties, and break existing VPN setups. That's no good on shared computers with multiple users.
The issue was identified, says Gerstner, when an openSUSE community manager wanted to add the Mozilla VPN client to openSUSE Tumbleweed, a Linux distribution. The software was reviewed by the SUSE security team, a standard procedure, and they found the VPN software "contains a privileged D-Bus service running as root and a Polkit policy."