Dr.-Ing. Mario Heiderich, Cure53
Bielefelder Str. 14
D 10709 Berlin
Features such as split-tunneling and multi-hop connections were implemented using
established technologies such as cgroups in Linux, or alternatively relying on route
management as well as Mullvad libraries and drivers. The fact that these were integrated
from scratch minimizes the likelihood of emerging weaknesses, with no notable
concerns to report during the allocated assessment schedule.
In tandem with the addition of the Adjust-SDK, an HTTP proxy was installed that filters
out unnecessary Adjust data. This proxy has been implemented using C++, though Rust
is perhaps the optimal choice in this context from a memory-security perspective.
Nonetheless, the C++ code was deemed astutely written and did not evoke any security
limitations. Similarly, the remaining C++ characteristics were equally deemed to be
structured to a performant standard. The fact that the mozillavpnnp helper binary was
written in Rust was noted with commendation, due to the inherent memory safety
offered. Cure53 also acknowledged sufficient safeguard measures for the key
management implementation on both Linux and MacOS platforms. Despite extensive
attempts, the auditors were unable to detect a compromise vector that would allow an
attacker to extract the client's private key.
In relation to the Windows aspects in focus for this project, Cure53 specifically honed in
on the Windows service creation and privilege escalation flaws, which included
inspections of the communication via named pipes created by the varying components.
In spite of the audit team’s exhaustive approaches, no associated shortcomings were
discovered in this regard. The Windows VPN application takes advantage of the
system's credential storage to store authentication data securely.
Cure53 conducted ancillary testing strategies to determine whether VPN services store
or access files, which are accessible to the currently authenticated user. Since the
services in question store their logs and similar files in system32, administrator privileges
are required to mount file-system-related attacks, such as via symlinks. Moreover, the
auditors sought to ascertain the potential for DNS leakage via Windows 10’s Smart
Multi-Homed Name Resolution, which could send DNS requests to all network
interfaces. The VPN client remains unaffected by this issue, thus deanonymization
attacks were considered negligible.
To provide some final recommendations, Cure53 observed ample opportunities for minor
and miscellaneous hardening, including the removal of support for outdated or
unmaintained Android and iOS versions (see FVP-03-005 and FVP-03-006). The
Android app in particular would benefit from retracting support for v1 signatures (see
FVP-03-007) and integrating screenshot protection to prevent the leakage of secret
information (see FVP-03-013).
Cure53, Berlin · 12/01/23 23/24