18.WifiCutout Landscape

A security engineer at Linux distro maker SUSE has published an advisory for a flaw in the Mozilla VPN client for Linux that has yet to be addressed in a publicly released fix because the disclosure process went off the rails.

In a post to the Openwall security mailing list, Matthias Gerstner describes a broken authentication check in Mozilla VPN client v2.14.1, released on May 30. 

Essentially, the client can be exploited by any user on a system to, among other things, configure their own arbitrary VPN setup, redirect network traffic to outside parties, and break existing VPN setups. That's no good on shared computers with multiple users.

The issue was identified, says Gerstner, when an openSUSE community manager wanted to add the Mozilla VPN client to openSUSE Tumbleweed, a Linux distribution. The software was reviewed by the SUSE security team, a standard procedure, and they found the VPN software "contains a privileged D-Bus service running as root and a Polkit policy."