It was found that Mozilla VPN was prone to a race condition vulnerability in the Ping
Sender that frequently delivers ICMP packets to the internal IP address of the
WireGuard gateway. Shortly after turning the VPN off, those ICMP packets are at risk of
being sent outside of the WireGuard tunnel and might reveal which gateway IP was
used. Since this event is very rare and unreliable, whilst information leakage is
additionally scarce, this issue is of purely informational nature.
As it said, this is a race condition. Note that we do delete the PingSender when the disconnection is about to happen (and not after), but it could that this is not enough.
There is a potential race condition when sending ICMP pings for
connection health monitoring where closing the tunnel could result
in exposusre of the gateway IP address. By binding to the source
address when sending a ping, we should prevent this from occuring.
See: mozilla-mobile#801
oskirby
added a commit
to oskirby/mozilla-vpn-client
that referenced
this issue
May 1, 2021
There is a potential race condition when sending ICMP pings for
connection health monitoring where closing the tunnel could result
in exposusre of the gateway IP address. By binding to the source
address when sending a ping, we should prevent this from occuring.
See: mozilla-mobile#801
It was found that Mozilla VPN was prone to a race condition vulnerability in the Ping
Sender that frequently delivers ICMP packets to the internal IP address of the
WireGuard gateway. Shortly after turning the VPN off, those ICMP packets are at risk of
being sent outside of the WireGuard tunnel and might reveal which gateway IP was
used. Since this event is very rare and unreliable, whilst information leakage is
additionally scarce, this issue is of purely informational nature.
┆Issue is synchronized with this Jira Task
The text was updated successfully, but these errors were encountered: