Firezone logo light
← All security advisories

macOS Client config writable by other processes

Advisory ID
FZ-2026-001
Affected component
macOS Client
Affected version(s)
>= 1.4.15, < 1.5.16
Fixed version(s)
1.5.16
Published

Summary

The macOS Firezone Client persisted its user-editable configuration in a UserDefaults domain that any process running as the logged-in user could write to, for example with a simple defaults write command. Because this configuration governs how the Client behaves and connects, an unprivileged local process could modify these settings to influence the Client without the user's knowledge.

Impact

An unprivileged local process — malware, a malicious app, or any compromised process running in the user's session — could overwrite the Client's configuration without any elevation or user prompt, changing how the Client connects and behaves. Depending on which settings are altered, this could be used to interfere with the Client or redirect it toward attacker-controlled infrastructure.

This issue does not grant local privilege escalation on its own; the attacker must already be able to run code in the target user's session.

Who is affected

macOS Firezone Clients from 1.4.15 through 1.5.15 where the configuration is not enforced by MDM. The affected behavior was introduced in 1.4.15, when the Client's user-editable settings were consolidated into UserDefaults.

  • Clients with MDM-forced configuration are not affected. Settings deployed as forced values through a managed configuration profile (.mobileconfig / MDM) are read from the system-managed, read-only managed-preferences domain. Forced values take precedence over — and cannot be overridden by — a user-writable defaults write, so tampering is not possible for any forced key.
  • iOS is not affected. The iOS application sandbox prevents one app from writing another app's defaults.

Remediation

Upgrade to macOS Client 1.5.16 or later.

1.5.16 moves the Client's user-editable configuration into the Network Extension providerConfiguration, which only the host app and the tunnel provider are permitted to write. UserDefaults is now used only for read-only MDM managed values and forced overrides. On the first launch after upgrade, the Client automatically migrates any existing settings out of UserDefaults and removes the legacy keys.

Workarounds

If you cannot upgrade immediately, enforce the Client's configuration via an MDM managed configuration profile (forced values). Forced values are served from the system-managed preferences domain and cannot be overridden by local processes, which neutralizes this issue for the enforced keys. See the Deploy the Clients guide for how to deploy a managed configuration profile to your macOS fleet.

Credits

Found and reported internally by the Firezone team.