[CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections

Stanley Pain

Stanley Pain

2[H]4U
Joined
Apr 5, 2001
Messages
2,510
Fairly nasty VPN vuln across multiple Linux distros (and Android, MacOS and other *Nix OSes). Not systemd specific either since rc.d and sysV init systems were found to be vulnerable.

https://seclists.org/oss-sec/2019/q4/122

There are some mitigations discussed in the link. Definitely worth a read from an informative perspective and highly recommended if you have users out in the field or have large deployments. Going to be interesting to see how this plays out over the next few days.
 
No surprise though, thieves are going to find ways to steal what they want.
 
Apparently it's not an issue under 18.04LTS and I've tested and I'm good. So I think I'll play a game.

nTDLuRy.png
 

Attachments

  • nTDLuRy.png
    nTDLuRy.png
    40.7 KB · Views: 13
Stanley Pain said:
Yup only the latest Ubuntu is vulnerable which the CVE states. You can actually blame systemd for that one.
Click to expand...

They all use systemd, it seems like a minor change in the latest release that's resulted in a vulnerability. It's why I don't use bleeding edge rolling/non LTS releases.
 
Mazzspeed said:
They all use systemd, it seems like a minor change in the latest release that's resulted in a vulnerability. It's why I don't use bleeding edge rolling/non LTS releases.
Click to expand...

No it's not systemd specific, but in Ubuntu's case it's a systemd change that causes the vuln
 
This one is bad but it's being blown out of proportion. This isn't some script kiddie exploit like Ryuk. For this to be exploited you need to be able to do this:

1. Determining the VPN client’s virtual IP address which requires the attacker to have compromised the WAP or router and/or be on the adjacent network that the system the attacker is attacking is on. In all those cases you're already fucked.
2. Using the virtual IP address to make inferences about active connections
3. Using the encrypted replies to unsolicited packets to determine the sequence and acknowledgment numbers of the active connection to hijack the TCP session
 
You must log in or register to reply here.
Back
Top