Fourth Infrastructure audit completed by Cure53
We contracted Cure53 with performing a security audit towards our VPN infrastructure between 3rd June 2024 and 14th June 2024, this is our fourth audit in total, second with Cure53.
We asked Cure53 to focus solely on one OpenVPN and one WireGuard server. The scope included paying attention to anything that would impact privacy alongside their regular white-box security testing. Cure53 were given access to both servers, as well as the Ansible code used to deploy them.
For this audit we deployed two VPN servers in our staging environment. Our staging environment is configured identically to production, bar that no customers connect to it, and the servers are virtual on hardware we own.
Cure53 found two issues, with one rated low, and one rated medium. The remainder were rated info. In the days following a debrief with Cure53, these issues were marked as resolved as they had been deployed to our customer-facing production environment. This has been reflected in their report.
Quoting the report
Cure53 concluded the audit by expressing that their “..overall verdict on the current security posture of the assessed items within the scope is very positive. The attention to detail and deliberate application of security concepts clearly indicate that the infrastructure team is highly knowledgeable about, and committed to sound security practices and awareness.“
Read the full audit report on Cure53’s website here.
Report notes and comments
MUL-04-004 WP1/2: LPE for user mullvad-local-checks to root (Low)
Cure53 recommended: aligning file ownership and process ownership, thereby preventing any owner boundaries from being breached.
Mullvad: the file permissions have been tightened, and the owner and group memberships have been changed appropriately.
MUL-04-005 WP1/2: User can hide from check-unauthorized-logins (Medium)
Cure53 recommended: adjusting the username regex to avoid matching substrings.
Mullvad: A change was applied to match exact usernames.
MUL-04-001 WP1/2 Superfluous sudo configuration for nonexistent group (Info)
Cure53 recommended: removing unnecessary sudo rules will fully mitigate this issue. Keeping the number of sudo rules to a minimum helps maintain optimal oversight of systems, particularly security-critical subsystems like sudo configuration.
Mullvad: This leftover configuration was removed.
MUL-04-002 WP1/2 Ansible hardening suggestions (Info)
Cure53 recommended: “It is recommended to remove the Ansible playbooks and roles from the local system, and to ensure they are not cached during deployment.”
Mullvad: We clarified to Cure53 during our debrief session and in writing that our method of using Ansible is not to cache push-based deployments but rather so we can have a system to deal with scaling out our deployments.
The main two issues that it solves for us are deployment time and continuosly asserting configuration state. We have modified the principles that ansible-pull is built on, to use a bespoke per-host configuration, similar to how other pull-based configuration management tools work. This ensures we only have secrets for the host itself, rather than for the entire inventory, which ansible-pull would store.
We accepted the risk during development regarding extra playbooks and roles. When migrating certain configurations on servers we apply a pre-deployment playbook, which runs migration tasks aimed at many server types. This playbook imports the roles associated with all applicable server types, and our ansible-local scripts will transfer all the roles listed in here, whether they are for the server in question or not.
---
Cure53 concluded their report by stating that they “..attempted to identify any potential methods by which a user's VPN traffic anonymity or integrity could be compromised. No such issues were found, and no vulnerabilities affecting the core product were detected.”
They also praised our security, by stating that “Mullvad's system includes a multitude of hardening features, and this is extremely positive. It also contributes to a robust security posture that mitigates many attack vectors.“
All changes have been applied, verified and deployed to our production servers. We will perform another audit on our VPN infrastructure in 2025.
For the universal right to privacy,
Mullvad