Vulnerability identifier: #VU48164

Vulnerability risk: Medium

CVSSv3.1: 4.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-15679

CWE-ID: CWE-384

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mozilla VPN Windows
Client/Desktop applications / Other client software
Mozilla VPN iOS
Mobile applications / Apps for mobile phones
Mozilla VPN Android
Mobile applications / Apps for mobile phones

Vendor: Mozilla

Description

The vulnerability allows a remote attacker to impersonate sessions of other application users.

The vulnerability exists within OAuth session handling functionality. A remote attacker can craft a custom login URL, convince a VPN user to login via that URL, and obtain authenticated access as that user.

This issue is limited to cases where attacker and victim are sharing the same source IP and could allow the ability to view session states and disconnect VPN sessions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Mozilla VPN Windows: 0.13 - 1.2

Mozilla VPN iOS: 1.0.0 - 1.0.6

Mozilla VPN Android: 1.0.0

---

External links
http://www.mozilla.org/en-US/security/advisories/mfsa2020-48/

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.