Skip to content

[Security] Implement process hardening for the Brave VPN services #39230

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
thypon opened this issue Jun 21, 2024 · 1 comment · Fixed by brave/brave-core#24409
Closed

[Security] Implement process hardening for the Brave VPN services #39230

thypon opened this issue Jun 21, 2024 · 1 comment · Fixed by brave/brave-core#24409
Assignees
@thypon
Labels
feature-request OS/Desktop OS/Windows priority/P3 The next thing for us to work on. It'll ride the trains. QA Pass-Win64 QA/Test-Plan-Specified QA/Yes release-notes/include security
Milestone
1.69.x - Release

Comments

@thypon
Copy link
Member

thypon commented Jun 21, 2024
edited by bsclifton
Loading

Test Plan

  1. Install a version of Brave with this fix. Make sure escalation to admin happens (UAC prompt).
  2. Verify the Elevation Service for this channel is installed in services.msc
  3. Visit account.brave.com and login to an account with Brave VPN or buy Brave VPN
  4. Verify Use WireGuard protocol in Brave VPN is enabled on brave://settings/system
  5. Pick a VPN server and verify you can connect. Use https://whatismyipaddress.com/ to verify your location changed
  6. Disconnect from VPN
  7. Disable Use WireGuard protocol in Brave VPN on brave://settings/system
  8. Pick a VPN server and verify you can connect. Use https://whatismyipaddress.com/ to verify your location changed
  9. Visit https://dnsleaktest.com/ and verify there are no leaks (this is what the Brave DNS service fixes)

Platforms

Windows

Description

let's implement a ProcessRedirectionTrustPolicy inside the Elevation Service.

This feature will allow to harden the Elevation Service infrastructure against vertical privilege escalations.
@thypon thypon added the priority/P3 The next thing for us to work on. It'll ride the trains. label Jun 21, 2024
@thypon thypon assigned thypon and unassigned bsclifton Jun 25, 2024
@thypon thypon mentioned this issue Jun 27, 2024
Merged
24 tasks
@bsclifton bsclifton changed the title Implement process hardening for the Elevation Service Implement process hardening for the Brave VPN services Jun 28, 2024
@brave-builds brave-builds added this to the 1.69.x - Nightly milestone Jul 1, 2024
@LaurenWags LaurenWags changed the title Implement process hardening for the Brave VPN services [Security] Implement process hardening for the Brave VPN services Jul 10, 2024
@MadhaviSeelam
Copy link

MadhaviSeelam commented Jul 12, 2024
edited
Loading

Verification PASSED using

Brave | 1.69.101 Chromium: 127.0.6533.43 (Official Build) nightly (64-bit)
-- | --
Revision | 9073515479afc03ab66a21bb8175263fc56ba1f1
OS | Windows 11 Version 23H2 (Build 22631.3880)
  1. Downloaded BraveBrowserStandaloneNightlySetup .exe for 1.69.101 nightly
  2. Accepted Yes at the UAC prompt
  3. launched Brave
  4. opened services.msc and confirmed Brave Nightly Elevation Service is installed
  5. opened account.brave.com in a new tab and authenticated with basic auth
  6. logged in with existing subscription ([email protected])
  7. clicked Refresh button on the subscription page
  8. opened brave://settings/system page in a new tab
  9. confirmed Use Wireguard protocol in Brave VPN is enabled
  10. selected Brazil region in the VPN panel
  11. confirmed Wireguard toggle is read only status
  12. visited whatismyipaddress.com in a new tab
  13. confirmed Brazil location is shown
  14. visited https://dnsleaktest.com/ in a new tab
  15. confirmed no DNS leaks
step 4 step 6 step 9 step 10 step 11 step 13 step 15
image image image image image image image

@LaurenWags LaurenWags mentioned this issue Aug 20, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thypon thypon

Labels
feature-request OS/Desktop OS/Windows priority/P3 The next thing for us to work on. It'll ride the trains. QA Pass-Win64 QA/Test-Plan-Specified QA/Yes release-notes/include security
Projects
None yet
Milestone
1.69.x - Release
Development

Successfully merging a pull request may close this issue.

[VPN] enable Mitigation Policy for Windows Services brave/brave-core
6 participants
@diracdeltas @thypon @bsclifton @LaurenWags @brave-builds @MadhaviSeelam