Memory tagging error in ProtonVPN
- Edited
fid02 I did not mean to imply that a successful fix would mean that a (potentially) exploitable bug would continue to be exploitable.
I apologize for being unclear! My point was that "the proof is in the pudding": after they find the bug it will be easy to say with some confidence whether it was or wasn't exploitable. But until they find and fix it, assurances that it's not exploitable seem a little thin to me.
(Edit: Also, the longer it takes to turn the crash into the bug the more likely it is, I think, to be exploitable. A simple mistake would generally be simple and local to fix.)
gsture I also ran into issues with mullvad vpn app. I don't know if it is related but I get random vpn disconnect notification from android with memory tagging on. The vpn app still thinks it is connected and does not reconnect or the app is not running properly anymore. Memory tagging off the vpn works fine. I do not get any obvious errors or crashes though.
fid02 That's an issue in Mullvad that I've heard a few other community members report as well. I'm not using Mullvad now but I remember it occurring to me previously. Can be reported to them.
Just to report back on this real quick. After sending mullvad a bug report and some logs this issue should now be fixed in upcoming release.
I'm curious, is this an error having specifically to do with the VPN or the VPN app? My VPN connection was stopping with Rethink and Wireguard apps, though it didn't give the memory tagging error.
I asked Proton support for information on the current status on the investigation into this memory safety issue. Here is the reply I received today:
Hello,
Thank you for reaching out to us!
Kindly note that there are unfortunately no updates regarding this. Our team is currently busy at the moment with other more prioritized matters, but they will hopefully take a closer look in the upcoming period.
Have a nice day!
Kind regards,[removed name]
Customer Support
Proton VPN
Let's hope that "more prioritized matters" implies fixing other, and perhaps more serious, privacy and security issues. What's certain is that the public knows virtually nothing about their investigation into the issue – which was first reported to them at least 8 months ago. The bug might be related to this Go issue, which Mullvad seems to have already worked around. Not clear if Proton knows about this…
fid02 I have to say it sounds as if somebody decided it doesn't matter and it's just sitting around.
For example, have they reproduced it? If they haven't even done that then it's probably going nowhere.
Who knows, maybe they have an LLM doing prioritization and it doesn't understand MTE because there aren't enough web pages about it yet.
I continue to doubt that this has reached the development team. I might be wrong, however.
matchboxbananasynergy I continue to doubt that this has reached the development team. I might be wrong, however.
Proton support sent me the following, on Sep 11:
The Android development team is already aware of some crashes happening with WireGuard due to memory corruption, and they're actively being looked into.
Unless they are not speaking truth, I have to assume that the sentence means it has, at some point, reached the ears of a development team. Although "some crashes" is vague enough to not aspire much confidence that the support team relayed my emails to the development team, it sounds like at least some memory corruption was being looked into at some point in the past.
Extremely frustrating that a company heavily marketed towards privacy continue to not prioritize this (but at least we now have confirmation of that). Also does not inspire confidence that, with the exception of Proton Pass, all their apps have obvious incompatibilities when being run with memory tagging. A direct competitor has fixed a memory safety issue reported by a GrapheneOS user and is now running their Android app with memory tagging on GrapheneOS in order to debug further issues. That appears to be in stark contrast to what Proton is doing. I will be relaying the Go bug to them, then I will give up on their support team. Someone else is welcome to pick up the ball!
Wishing you all a happy day.
(And thank you for your patience with my expressed frustration!).
- Edited
Would it make sense to try complaining on their subreddit? "YOUR DEVICES MIGHT BE VULNERABLE BECAUSE OF PROTONS INACTION – memory-corruption bug reported months ago still unfixed" might make people panic a little and definitely not the kind of discourse you'd generally want, but if that's what's needed to get them to actually do something, maybe it's worth it?
fxnn Well, for one, I personally don't like that part of the dark web. Secondly, I don't much believe in fear-inspiring headlines. If someone wrote a Reddit post, it might be beneficial with an attention-grabbing headline, sure, but I think an explanation of an issue should also illustrate the situation in a reasoned way (preferably without pressing the Caps Lock button), and not invoke imminent fear and uncertainty.
- Edited
fid02 Also does not inspire confidence that, with the exception of Proton Pass, all their apps have obvious incompatibilities when being run with memory tagging.
Only Proton VPN and Wallet encounter an error when memory tagging is enabled. Mail, Calendar, Drive and Pass run perfectly fine with it enabled.
ErnestThornhill Mail, Calendar, Drive
Occasional sudden shutdown of the apps occur for me when I run them with memory tagging. Have also seen other users report this in the community chat rooms.
ErnestThornhill But, perhaps you are running newer versions than I have, maybe beta versions? If so, it would of course be good news if the issues with those apps have been fixed.
fid02 Nope. They've always worked fine for me in terms of memory tagging being enabled.
- Edited
Appears that Proton VPN are actually paying attention to their Github issue tracker after all: https://github.com/ProtonVPN/android-app/issues/151#issuecomment-2498460106
Hb1hf aren't those apps basically PWAs?
No.
In hindsight, I'm not sure why I went with the difficult (and, in the end, frustrating) approach of contacting Proton support instead of their security team or posting on the Github tracker. OneDeuxTriSeiGo did a good thing in reporting this issue and including the tombstone.
fid02 Glad they finally noticed this issue. Memory Tagging issues are not exclusive to Proton VPN, so hopefully the other apps (Mail, Calendar, Drive) will be fixed as well.
Glad they finally noticed this issue.
They have been aware of the issue for months and have apparently looked into it at some point, but paused the effort some time ago. Maybe they have resumed the investigation? They are not sharing details at all, and unlike a certain other VPN competitor, they are not publicly asking for assistance in reproducing or debugging the issue, or any information at all. I know for a fact that a developer of a security software raised the issue with them a couple of months ago. Everything put together, I think it shows a surprisingly poor security posture from a company that completely depends upon their reputation of being a leader in privacy-respecting products. What if this bug had been a perfect way to deanonymize users or otherwise cause them harm? I have cancelled my subscription.