Eight testers from Cure53 and Assured spent a total of 18 days to complete the audit of version 2018.2 of the Mullvad VPN app.
As summarized in the report, "the assessment yielded a total of seven issues, which [is] an exceptionally small number given the complex field of the VPN software and the connected, vast attack surface."
Of those seven, six issues related to the app, none of which were remotely exploitable. In addition, the testers found no traffic leaks and no ways for a network-based attacker to force leaks. The remaining issue had to do with our website.
More information about the audit, and our comments on the issues in the report, can be found on the Mullvad blog:
The final report is available on Cure53's website.
Also public is the initial report which is the version that was initially presented to us. After a discussion with the auditors about the use of certain terminology, they adjusted the report to provide better clarity and produced the final version.
The reports are also available directly in this repository:
Of the seven issues found, the two identified vulnerabilities required local access to the computer. Of the five miscellaneous issues, three required local access, one pertained to our website, and the last one reflected on software dependencies.
Regarding the five findings that depended on local access, it should be noted that in general we do not consider attackers with local access to be part of our threat model. Nonetheless, we will of course consider all recommendations made by the auditors to further improve the security of our app.
Please feel free to contact us if you have any questions after reading this post or the audit report.
-
MUL-01-004 Windows: Privilege escalation by replacing executables (Critical)
Our comment: Solved in app version 2018.3. Under certain conditions, a user with local access could abuse the app to gain administrative privileges.
-
MUL-01-006 Daemon: Any user can issue WebSocket commands (High)
Our comment: Any user with local access can control the app. This is currently intentional, but we will consider the auditors' recommendations. It should also be noted that we replaced WebSocket with IPC.
As described by the auditors, "This section covers those noteworthy findings that did not lead to an exploit but might aid an attacker in achieving their malicious goals in the future.
"Most of these results are vulnerable code snippets that did not provide an easy way to be called. Conclusively, while a vulnerability is present, an exploit might not always be possible."
-
MUL-01-001 App: Missing Browser Window preferences allow RCE (Info)
Our comment: Requires a local user to drag a malicious file onto the app window. We are looking into this.
-
MUL-01-002 App: WebSocket leaks real IP addresses and geolocation (Medium)
Our comment: By its current design, all local users should be able to query the app for current status and information. See also MUL-01-006. We are looking into this.
-
MUL-01-003 Daemon: Weak permissions on config and log files (Low)
Our comment: A local user can read the configuration and log files of the app. We are looking into this.
-
MUL-01-005 OOS: CSRF on adding and removing forwarded ports (Low)
Our comment: Fixed on 20 September 2018.
-
MUL-01-007 App: Lax version requirements for Node dependencies (Info)
Our comment: We are looking into this.