Jump to content
  • Bug in macOS 14 Sonoma prevents our app from working

    aum

    • 566 views
    • 3 minutes
     Share


    • 566 views
    • 3 minutes

    The macOS 14 Sonoma betas and release candidate contain a bug that causes the firewall to not filter traffic correctly. As a result, our app does not work.

     

    During the macOS 14 Sonoma beta period Apple introduced a bug in the macOS firewall, packet filter (PF). This bug prevents our app from working, and can result in leaks when some settings (e.g. local network sharing) are enabled. We cannot guarantee functionality or security for users on macOS 14, we have investigated this issue after the 6th beta was released and reported the bug to Apple. Unfortunately the bug is still present in later macOS 14 betas and the release candidate.

     

    We have evaluated whether we can patch our VPN app in such a way that it works and keeps users secure in macOS 14. But unfortunately there is no good solution, as far as we can tell. We believe the firewall bugs must be fixed by Apple.

     

    The bug affects much more than just the Mullvad VPN app. Firewall rules do not get applied properly to network traffic, and traffic that is not supposed to be allowed is allowed. We deem this to be a critical flaw in the firewall, anyone relying on PF filtering, or apps using it in the background on their macOS devices should be cautious about upgrading to macOS 14.

     

    Our recommendations


    MacOS 14 Sonoma is scheduled to be released on the 26th of September, if the bug is still present we recommend our users to remain on macOS 13 Ventura until it is fixed.

     

    Technical details


    The following steps can be taken on macOS 14 to reproduce the issue. Warning: This will clear out any firewall rules you might have loaded in PF.

    In a terminal, create a virtual logging interface and start watching it for traffic matching the rules you will add later:

     

    sudo ifconfig pflog1 create
    sudo tcpdump -nnn -e -ttt -i pflog1

     

    Write the following firewall rules to a file named pfrules:

     

    pass quick log (all, to pflog1) inet from any to 127.0.0.1
    block drop quick log (all, to pflog1)

     

    In another terminal, enable PF and load the rules:

     

    sudo pfctl -e
    sudo pfctl -f pfrules

     

    Ping the mullvad.net webserver:

     

    ping 45.83.223.209

     

    Expected results

     

    • Ping is blocked, since it does not match the only pass rule’s requirements
    • The traffic is logged to pflog1. More specifically we expect it to be logged as matching the block rule


    Actual results

     

    • Ping is allowed out on the internet, and the response comes back
    • No traffic is being logged to pflog1


    Cleaning up after the experiment


    Disable the firewall and clear all rules.

     

    sudo pfctl -d
    sudo pfctl -f /etc/pf.conf

     

    Follow our blog for future updates to this issue.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...