diff options
| -rw-r--r-- | audits/2020-06-12-cure53.md | 137 | ||||
| -rw-r--r-- | audits/README.md | 3 | ||||
| -rw-r--r-- | audits/pentest-report_mullvad_2020_v1.pdf | bin | 0 -> 279893 bytes | |||
| -rw-r--r-- | audits/pentest-report_mullvad_2020_v2.pdf | bin | 0 -> 280333 bytes |
4 files changed, 139 insertions, 1 deletions
diff --git a/audits/2020-06-12-cure53.md b/audits/2020-06-12-cure53.md new file mode 100644 index 0000000000..82ca5fc3f6 --- /dev/null +++ b/audits/2020-06-12-cure53.md @@ -0,0 +1,137 @@ +# 2020-06-12 - Cure53 + +Six people from [Cure53](https://cure53.de/) performed a penetration test and source code audit +of the Mullvad VPN app with a budget of twenty days. The audit included all five supported +platforms: Windows, Linux, macOS, Android and iOS. The audit work was carried out over a two +week period in late May and early June of 2020, and the final audit report was handed +over to Mullvad on 2020-06-12. + +For the desktop app, version [2020.4] was audited. On Android version [2020.5-beta1] +was audited. And on iOS the test flight version that later became [ios/2020.3] +was audited. + +A quote from the conclusions chapter of the report: + +> The results of this May-June 2020 project targeting the Mullvad complex are quite +positive. After spending twenty days on the scope, six members of the Cure53 team +could only spot seven security-relevant items. Moreover, penetration tests and audits +against application branches of Mullvad exclusively pointed to issues with limited +severities, as demonstrated by the most impactful flaw scoring as Medium only. + +> Bringing together evidence from different components clearly suggests that the Mullvad +complex came out victorious from this Cure53 external assessment. Despite thorough +penetration tests and dedicated audits against various Mullvad apps, clients and APIs, +Cure53 was unable to compromise the complex. Mullvad clearly represents a mature +design as a function of a sound development process. All findings found during this +engagement were patched before the final stages of the project, which is also a very +good indicator. The Mullvad complex is definitely on the right track from a security +standpoint. + +## Read the report + +The final report is available [on Cure53's website](https://cure53.de/pentest-report_mullvad_2020_v2.pdf). + +Also public is the [initial report](https://cure53.de/pentest-report_mullvad_2020_v1.pdf) which is the +version that was initially presented to us. After a discussion with the auditors about the use of +certain terminology and being more specific about what app versions had been audited, +they adjusted the report to provide better clarity and produced the final version. +For full transparency we insist to publish both versions. + +The reports are also available directly in this repository: +* Final version: [pentest-report_mullvad_2020_v2.pdf](./pentest-report_mullvad_2020_v2.pdf) +* Inital version: [pentest-report_mullvad_2020_v1.pdf](./pentest-report_mullvad_2020_v1.pdf) + +## Overview of findings + +This chapter will present a short summary of all security findings from the report and +Mullvad's response to them. + +Out of the seven issues found, two were on *medium* level. Two issues had level *low* +and the remaining three had level *info*. This means that the auditors did not find anything +that they classified as very dangerous or could seriously or easily compromise +the security and anonymity of the app users. + +Fixes were implemented for five of the seven issues. The remaining two +identified items are things Mullvad do not deem serious problems nor are they a threat +to us or our users. Furthermore, there was no way of patching those two as they +were outside of our control. + +All issues that we implemented fixes for had their fixes merged before the final report +was done and sent over to Mullvad. Version [2020.5-beta2] of the app has all found +vulnerabilies fixed ([ios/2020.3] for iOS). + +### Identified vulnerabilities + +* __MUL-02-002 WP2__: Firewall allows deanonymization by eavesdropper (Medium) + + _Our comment_: This is a legitimate and fully possible deanonymization attack. However, it is + not trivial to execute, so Cure53 classify it as medium only. This vulnerability is not + an issue for any normal user. But as the report outlines in the conclusion chapter, a + "state-funded and persistent threat" could very well use it to identify users. Since Mullvad + care deeply about anonymity and our users with high threat models, we regard this finding + as a rather serious one. But not critical enough to justify rushing out a stable release + This issue is fixed in all desktop apps in the following PRs: + * [Windows PR #1827](https://github.com/mullvad/mullvadvpn-app/pull/1827) + * [Linux PR #1819](https://github.com/mullvad/mullvadvpn-app/pull/1819) + * [macOS PR #1829](https://github.com/mullvad/mullvadvpn-app/pull/1829). + +* __MUL-02-006 WP1__: Blind HTML Injection via Problem Report (Low) + + _Our comment_: This finding does not put any Mullvad user or Mullvad itself in any risk. + The problem reports are handled as plaintext and not HTML all the way from the app to the + support team. The pingback observed in the report comes from Google's gmail servers + who simply seem to query any URL they can parse in email bodies passing through their servers. + As such, we do not agree with the classification as a HTML injection issue. + There is probably no way Mullvad can disable this, and even if it was exploitable it would be + Google that would be compromised and not Mullvad. + +* __MUL-02-007 WP2__: Named Pipe exposed via SMB accessible to everyone (Medium) + + _Our comment_: This vulnerability allows controlling the Mullvad VPN on a Windows machine + from the network. However, it requires the user to both enable "Local network sharing" in + the app and disable Window's "password protected sharing". Neither of this is done by default, + and Mullvad would not recommend anyone who care about their security or privacy to ever disable + "password protected sharing" at all. We do not see this as a large security flaw, since the user + must explicitly turn off important security settings for this to be exploitable to begin with. + However, since the VPN is only supposed to be possible to control from the local computer, + and since the report presents an easy to implement fix for the issue, we have implemented the + proposed fix in [PR #1830](https://github.com/mullvad/mullvadvpn-app/pull/1830). + +### Miscellaneous issues + +* __MUL-02-001 iOS__: Lack of filesystem protections (Info) + + _Our comment_: The app does not in any way need the cache file that was found. So we directly + implemented the suggested fix to get rid of it in + [PR #1808](https://github.com/mullvad/mullvadvpn-app/pull/1808). + Since the exposed data is not very sensitive, + and since getting the data out of the device is far from trivial, we agree this is *info* + level and not a serious leak in any way. + +* __MUL-02-003 WP1__: General hardening recommendations for Android app (Info) + + _Our comment_: These are good recommendations from Cure53. It is indeed not a vulnerability + in any way, but to practice defense-in-depth better we implemented the recommendations in + [PR #1823](https://github.com/mullvad/mullvadvpn-app/pull/1823) and + [PR #1822](https://github.com/mullvad/mullvadvpn-app/pull/1822). + +* __MUL-02-004 WP2__: Firewall allows TCP connections to WireGuard gateway (Low) + + _Our comment_: This vulnerability is very similar to __MUL-02-002__. But less dangerous + since no custom token can be sent out, which makes it harder to identify a specific + user. This issue was fixed for Windows in the same PR where __MUL-02-002__ was fixed. + +* __MUL-02-005 WP1__: VpnService logs static internal IPs to Android’s syslog (Info) + + _Our comment_: Leaking the private tunnel IP in use is considered bad but not critical + in any way. We agree with the *info* level on this security finding since the attacker + needs either `adb` access or the phone to be rooted. There is no way Mullvad can fix + this potential information leak. The logging of the IP is done by the Android operating + system as soon as any VPN app uses the operating system's VPN API. As far as we can tell + there is no way to disable this, and all Android VPN apps are subject to the same type + of leak. + +[2020.4]: ../CHANGELOG.md#20204---2020-05-12 +[2020.5-beta1]: ../CHANGELOG.md#20205-beta1---2020-05-18 +[ios/2020.3]: ../ios/CHANGELOG.md#20203---2020-06-12 +[2020.5-beta2]: ../CHANGELOG.md#20205-beta2---2020-06-16 diff --git a/audits/README.md b/audits/README.md index 02dfc24201..5f29ec93e3 100644 --- a/audits/README.md +++ b/audits/README.md @@ -4,4 +4,5 @@ Independent audits help to discover potential security vulnerabilities and fix t in an even better service. It also gives you the opportunity to judge whether or not we are technically competent enough to provide a service in which security is paramount. -* 2018-09-24 - [Assured and Cure53](./2018-09-24-assured-cure53.md) +* [2018-09-24 - Assured and Cure53](./2018-09-24-assured-cure53.md) +* [2020-06-12 - Cure53](./2020-06-12-cure53.md) diff --git a/audits/pentest-report_mullvad_2020_v1.pdf b/audits/pentest-report_mullvad_2020_v1.pdf Binary files differnew file mode 100644 index 0000000000..d35af5bd1d --- /dev/null +++ b/audits/pentest-report_mullvad_2020_v1.pdf diff --git a/audits/pentest-report_mullvad_2020_v2.pdf b/audits/pentest-report_mullvad_2020_v2.pdf Binary files differnew file mode 100644 index 0000000000..135ded7882 --- /dev/null +++ b/audits/pentest-report_mullvad_2020_v2.pdf |