Windows device ID file is world-readable
- Advisory ID
- FZ-2026-006
- Affected component
- Windows Client
- Affected version(s)
- < 1.5.13
- Fixed version(s)
- 1.5.13
- Published
Summary
On Windows, the Firezone Client's device identifier file —
C:\ProgramData\dev.firezone.client\config\firezone-id.json — was readable by
any user on the system. Firezone derives a unique, persistent device ID and uses
it to enforce device verification policies. Because the file was world-readable,
its contents could be read and copied off the device by any local user.
Impact
An attacker who can read the device ID file (any local user) could copy it to a different machine and present that device ID to Firezone, causing the other machine to be treated as the verified device. This bypasses device verification policies that are intended to restrict access to known, verified devices. Combined with compromised user credentials, it allows access to protected Resources from an unverified, non-company device.
Who is affected
Both the Windows GUI Client and the Windows headless Client prior to 1.5.13 are affected — they share the same device ID file. Linux is not affected (neither the GUI nor the headless Client) — its device ID file was already restricted to the service user.
Remediation
Upgrade to Windows Client 1.5.13 or later.
1.5.13 applies a protected DACL to the device ID file and its containing
directory, granting access only to SYSTEM and Administrators, so
unprivileged users can no longer read the device ID.
Workarounds
There is no configuration-level workaround short of upgrading.
Credits
Reported by GitHub user @intuinewin.