Well, I paraphrased the questions that de0u highlighted, and sent them in an email to ProtonVPN support. I now received the following reply:

Hello,

Thank you for your reply and the additional information that you've gathered; it has also been forwarded to our Android developers.

With all the information so far, we have no reason to believe that this is an exploitable vulnerability, but we can't guarantee this as the issue is still under investigation.

The Android development team is already aware of some crashes happening with WireGuard due to memory corruption, and they're actively being looked into.

However, I unfortunately can't give you a specific timeframe for when this one could be fixed.

We appreciate your understanding.

They did not tell me why they have "no reason to believe that this is an exploitable vulnerability", so I've asked them to clarify that.

    fid02 Like they said in the response you shared from them, their reasoning is based on the information so far that you've provided them.

      ErnestThornhill Like they said in the response you shared from them, their reasoning is based on the information you've provided them so far.

      Except that's not what they said. "With all the information so far" could mean they have gathered additional information from an internal investigation. Or not. It really could mean anything.

      fid02 They did not tell me why they have "no reason to believe that this is an exploitable vulnerability", so I've asked them to clarify that.

      Sounds like a talking point.

      On the one hand, an exploit would be an undeniable reason to believe it's exploitable, so until they have one it's not certainly exploitable.

      But on the other hand a fair fraction of overruns are exploitable, so on that basis they arguably should be concerned. In a sense I think what's on the table is at least a faint reason.

      Meanwhile, it matters whether or not a developer is actively spending hours per day on diagnosis.

      If the ticket is just sitting in a queue, I'd say it is technically true that they don't know it's exploitable, but not at all reassuring.

        de0u

        The text

        With all the information so far, we have no reason to believe that this is an exploitable vulnerability

        gave me the impression that they are leaning towards this bug not being exploitable. But maybe I'm reading it wrongly. If their reply means "we don't know if it's exploitable, yet" then fair enough.

        • de0u replied to this.

          fid02 Well... What seems clear to me is that If they find the bug and fix it (which seems like a good idea?!) then it won't be exploitable.

            de0u Of course. I did not mean to imply that a successful fix would mean that a (potentially) exploitable bug would continue to be exploitable. 😅

            • de0u replied to this.
              • Edited

              fid02 I did not mean to imply that a successful fix would mean that a (potentially) exploitable bug would continue to be exploitable.

              I apologize for being unclear! My point was that "the proof is in the pudding": after they find the bug it will be easy to say with some confidence whether it was or wasn't exploitable. But until they find and fix it, assurances that it's not exploitable seem a little thin to me.

              (Edit: Also, the longer it takes to turn the crash into the bug the more likely it is, I think, to be exploitable. A simple mistake would generally be simple and local to fix.)

              gsture I also ran into issues with mullvad vpn app. I don't know if it is related but I get random vpn disconnect notification from android with memory tagging on. The vpn app still thinks it is connected and does not reconnect or the app is not running properly anymore. Memory tagging off the vpn works fine. I do not get any obvious errors or crashes though.

              fid02 That's an issue in Mullvad that I've heard a few other community members report as well. I'm not using Mullvad now but I remember it occurring to me previously. Can be reported to them.

              Just to report back on this real quick. After sending mullvad a bug report and some logs this issue should now be fixed in upcoming release.

              I'm curious, is this an error having specifically to do with the VPN or the VPN app? My VPN connection was stopping with Rethink and Wireguard apps, though it didn't give the memory tagging error.

              a month later

              I asked Proton support for information on the current status on the investigation into this memory safety issue. Here is the reply I received today:

              Hello,

              Thank you for reaching out to us!

              Kindly note that there are unfortunately no updates regarding this. Our team is currently busy at the moment with other more prioritized matters, but they will hopefully take a closer look in the upcoming period.

              Have a nice day!
              Kind regards,

              [removed name]
              Customer Support
              Proton VPN

              Let's hope that "more prioritized matters" implies fixing other, and perhaps more serious, privacy and security issues. What's certain is that the public knows virtually nothing about their investigation into the issue – which was first reported to them at least 8 months ago. The bug might be related to this Go issue, which Mullvad seems to have already worked around. Not clear if Proton knows about this…

                fid02 I have to say it sounds as if somebody decided it doesn't matter and it's just sitting around.

                For example, have they reproduced it? If they haven't even done that then it's probably going nowhere.

                Who knows, maybe they have an LLM doing prioritization and it doesn't understand MTE because there aren't enough web pages about it yet.

                matchboxbananasynergy I continue to doubt that this has reached the development team. I might be wrong, however.

                Proton support sent me the following, on Sep 11:

                The Android development team is already aware of some crashes happening with WireGuard due to memory corruption, and they're actively being looked into.

                Unless they are not speaking truth, I have to assume that the sentence means it has, at some point, reached the ears of a development team. Although "some crashes" is vague enough to not aspire much confidence that the support team relayed my emails to the development team, it sounds like at least some memory corruption was being looked into at some point in the past.

                Extremely frustrating that a company heavily marketed towards privacy continue to not prioritize this (but at least we now have confirmation of that). Also does not inspire confidence that, with the exception of Proton Pass, all their apps have obvious incompatibilities when being run with memory tagging. A direct competitor has fixed a memory safety issue reported by a GrapheneOS user and is now running their Android app with memory tagging on GrapheneOS in order to debug further issues. That appears to be in stark contrast to what Proton is doing. I will be relaying the Go bug to them, then I will give up on their support team. Someone else is welcome to pick up the ball!

                Wishing you all a happy day.

                (And thank you for your patience with my expressed frustration!).

                  • Edited

                  Would it make sense to try complaining on their subreddit? "YOUR DEVICES MIGHT BE VULNERABLE BECAUSE OF PROTONS INACTION – memory-corruption bug reported months ago still unfixed" might make people panic a little and definitely not the kind of discourse you'd generally want, but if that's what's needed to get them to actually do something, maybe it's worth it?

                    fxnn Well, for one, I personally don't like that part of the dark web. Secondly, I don't much believe in fear-inspiring headlines. If someone wrote a Reddit post, it might be beneficial with an attention-grabbing headline, sure, but I think an explanation of an issue should also illustrate the situation in a reasoned way (preferably without pressing the Caps Lock button), and not invoke imminent fear and uncertainty.

                      fid02 Also does not inspire confidence that, with the exception of Proton Pass, all their apps have obvious incompatibilities when being run with memory tagging.

                      Only Proton VPN and Wallet encounter an error when memory tagging is enabled. Mail, Calendar, Drive and Pass run perfectly fine with it enabled.

                        ErnestThornhill Mail, Calendar, Drive

                        Occasional sudden shutdown of the apps occur for me when I run them with memory tagging. Have also seen other users report this in the community chat rooms.

                          ErnestThornhill But, perhaps you are running newer versions than I have, maybe beta versions? If so, it would of course be good news if the issues with those apps have been fixed.

                            fid02 Nope. They've always worked fine for me in terms of memory tagging being enabled.