Update: Apple has fixed the flaw according to Mullvad’s recent blog post.
Mullvad VPN has published a warning to alert its macOS users that its client app doesn’t work correctly on Apple’s upcoming major release macOS 14, codenamed ‘Sonoma.’
According to the VPN vendor, a firewall bug in the new system prevents the proper implementation of rules on network traffic, allowing network packets that should be normally blocked to pass through. Although this does not impact only VPN apps, it is particularly problematic for such tools as it undermines their security, potentially leading to data leaks that might jeopardize the user’s privacy and anonymity.
“During the macOS 14 Sonoma beta period, Apple introduced a bug in the macOS firewall, packet filter (PF). This bug prevents our app from working, and can result in leaks when some settings (e.g., local network sharing) are enabled.”Mullvad VPN
The Mullvad VPN team tested their app in macOS 14 beta 6, and also on the upcoming system’s release candidate (RC), and the firewall flaw is present on both. Considering that ‘Sonoma’ is scheduled for release by September 26, 2023, there are less than two weeks left to iron out bugs of this type, assuming that Apple considers this a security problem in the first place.
RestorePrivacy has contacted Apple to learn more about the issue and whether or not the consumer tech giant is planning to release a fix before the announcement of stable macOS 14 or on one of the first point releases, and we will update this post as soon as we receive a response.
What should macOS VPN users do?
While we normally recommend keeping your operating system and apps updated to the latest version, this will be an exception to those recommendations. Until Apple fixes this critical firewall flaw, macOS users should remain on macOS 13 Ventura. The security risks of upgrading and having your VPN traffic exposed are greater than staying on macOS 13 Ventura.
Similarly, Mullvad recommends the same:
MacOS 14 Sonoma is scheduled to be released on the 26th of September, if the bug is still present we recommend our users to remain on macOS 13 Ventura until it is fixed.Mullvad VPN
How to reproduce the firewall flaw on macOS Sonoma
Mullvad has also provided technical instructions on how to reproduce the bug, which would be helpful to confirm future fixes work as expected. The test aims to evaluate the functionality of the macOS firewall, specifically its packet filter (PF). By setting up specific firewall rules that should block and log certain traffic, the test checks if the firewall correctly filters out that traffic. So far, in macOS 14, the firewall fails to block the specified traffic and does not log it, indicating a malfunction in the firewall system.
Be warned that the given test will erase any pre-existing firewall rules loaded in the packet filter. If you wish to preserve these rules, you should not run the test.
While no other VPN providers have reported pre-release testing of their apps on the forthcoming macOS system, the inherent flaw likely affects all to some degree. Therefore, all macOS VPN users should exercise caution and opt to stay at macOS 13 until the situation clears up.