13.Lock StylizedMotherboard Esm W900

A cybersecurity researcher from SUSE, a Linux distribution manufacturer, has made public a serious security flaw in the Mozilla VPN client for Linux.

Mozilla has been slow to correct it. Yet this vulnerability could enable malicious actors to commit a host of integrity violations.

In an article published on Openwall, Matthias Gerstner mentions a faulty authentication check in the Mozilla VPN Client v2.14.1.

This vulnerability was discovered when, as part of a standard procedure, SUSE engineers analyzed the Mozilla VPN client before adding it to openSUSE Tumbleweed, a Linux distribution.

The analysis showed that the VPN software “contains a privileged D-Bus service running as root and a Polkit policy”, which basically means that the D-Bus call will work for any user account, regardless of privileges.