We tasked the Gothenburg based security consulting firm, Assured AB with performing a security audit towards our VPN infrastructure.
We invite you to read the final report of our second security audit on Mullvad’s VPN infrastructure, concluded in May 2022, with fixes deployed during early June 2022.
We are satisfied with the independent auditors concluding statements, where they say that “…the configuration is sound and did not display signs of any direct customer information“, and “In summary; externally the deployments have quite a strong posture“
Prior to the audit we deployed three (3) freshly installed VPN servers which were installed for this specific use-case, meaning they were not being used by customers at the time Assured AB gained access. They audited two (2) WireGuard VPN servers (one (1) of which runs with no disks in use), and one (1) OpenVPN server.
We gave Assured AB full access via SSH to specially provisioned VPN servers and asked them to verify:
- Security and set up of servers internally
- Security and set up of servers externally
- Whether or not we log customer activity
The audit report is available on Assured AB's website.
Overview of findings
- Assured AB found no information leakage or logging of customer data
- Service and application configurations generally followed best practices
- Assured AB identified twenty-one (21) issues that ranged from “low“ to “medium“
- Assured AB identified zero (0) issues in the “critical“ or “high“ category
Key takeaway: Mullvad is once again audited on the infrastructure side!
Identified vulnerabilities of interest
MUL006-3.1.1 User-writable scripts run by root (Medium)
To quote Assured AB: “This results in a potential privilege escalation vector which could allow an
attacker with access to the promtail service account to obtain root access.“
Our comments: We have resolved the scripts mentioned in the report, and are doing a thorough investigation into reworking and updating other scripts that might potentially result in privilege escalation.
MUL006-3.1.2 Permissive firewall policy (Medium)
To quote Assured AB: “This could allow an attacker to access services or interfaces which were not intended.“
Our comments: Before the audit we had restrictive firewall rules that were set to permit only the correct connections inbound. We have switched to a default DROP rule in INPUT, meaning that we have added more stringent rules. This, along with other improvements we had already made prior to the audit now mean that our VPN server firewall rules have become even stronger and more concise.
MUL006-3.1.8 Shared credentials for consumed services and APIs
To quote Assured AB: “We recommend that each deployed machine receive its own unique credentials for outbound use, to enable revocation in case of a detected compromise. Credentials should be generated by a randomized source with sufficient entropy.“
Our comments: We have made sufficient alterations to the relevant services to add credentials with a much higher entropy that are unique per server. We have also implemented a wider range of credentials across servers and differing server types for each consumed API. Having shared credentials for our services was an oversight, made and subsequently remediated when it was highlighted by Assured AB.
Miscellaneous issues of interest
MUL006-3.1.10 Binaries lacking instrumented hardening (Low)
To quote Assured AB: “A few binaries/applications running on the target system lack certain automatic
Our comments: We have applied patches all the listed binaries that we run on our systems, ensuring that they conform to the recommendations listed in the report. Assured AB went on to say that “A number of OS and third-party applications also lack binary hardening…Our recommendation is to put pressure on the upstream package maintainers“, we intend to contact maintainers of the packages or and software we make use of to inform them of such security concerns.
MUL006-3.1.18 Service logs disabled (Note)
To quote Assured AB: “The following system services were audited, and found to have their system and
customer logging disabled entirely“
Our comments: We are thankful to Assured AB for verifying that we do not have any customer logging enabled on any of our external facing services.
There are more changes to be deployed in the near future, and the listed fixes are examples of the most interesting issues that Assured AB found.
As with our last audit we will endeavor to do audits on as close to a yearly basis as possible. We are grateful to Assured AB for auditing our servers, they were able to highlight new issues that the previous audit did not.
For the universal right to privacy,