Linux GUI Client config is user-writable

Summary

The Linux Firezone Client persisted its advanced settings — the file advanced_settings.json, which holds the authentication URL, the control-plane URL, and the log filter — in a directory under the user's home (~/.config/dev.firezone.client/config). Any process running as that user could write to this file. Because the privileged tunnel service uses these values to decide where to authenticate and connect, a same-user process could modify the configuration the Client relied on.

Impact

An unprivileged process running as the same desktop user could edit the advanced settings file to change how the Client connects — for example, redirecting the authentication and control-plane URLs to attacker-controlled infrastructure — without any elevation or user prompt. The attacker only needs to run code in the user's session.

Who is affected

Linux GUI Clients prior to 1.5.13. The Linux headless Client is not affected — it does not use the GUI's advanced settings file.

Remediation

Upgrade to Linux GUI Client 1.5.13 or later.

1.5.13 moves ownership of the advanced settings into the tunnel service's own configuration directory, /var/lib/dev.firezone.client/config, which is owned by the service and restricted to mode 0o770 so other users can neither read nor modify it. Existing settings are migrated automatically on first upgrade.

Workarounds

There is no configuration-level workaround. Until you can upgrade, reduce exposure by keeping untrusted software out of the desktop user's session.

Credits

Found and reported internally by the Firezone team.