[CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections

Stanley Pain

2[H]4U
Joined
Apr 5, 2001
Messages
2,482
Fairly nasty VPN vuln across multiple Linux distros (and Android, MacOS and other *Nix OSes). Not systemd specific either since rc.d and sysV init systems were found to be vulnerable.

https://seclists.org/oss-sec/2019/q4/122

There are some mitigations discussed in the link. Definitely worth a read from an informative perspective and highly recommended if you have users out in the field or have large deployments. Going to be interesting to see how this plays out over the next few days.
 

ManofGod

[H]F Junkie
Joined
Oct 4, 2007
Messages
11,842
No surprise though, thieves are going to find ways to steal what they want.
 

Mazzspeed

2[H]4U
Joined
Dec 27, 2017
Messages
2,607
Apparently it's not an issue under 18.04LTS and I've tested and I'm good. So I think I'll play a game.

nTDLuRy.png
 

Attachments

Mazzspeed

2[H]4U
Joined
Dec 27, 2017
Messages
2,607
Yup only the latest Ubuntu is vulnerable which the CVE states. You can actually blame systemd for that one.
They all use systemd, it seems like a minor change in the latest release that's resulted in a vulnerability. It's why I don't use bleeding edge rolling/non LTS releases.
 

Stanley Pain

2[H]4U
Joined
Apr 5, 2001
Messages
2,482
They all use systemd, it seems like a minor change in the latest release that's resulted in a vulnerability. It's why I don't use bleeding edge rolling/non LTS releases.
No it's not systemd specific, but in Ubuntu's case it's a systemd change that causes the vuln
 

Vermillion

Supreme [H]ardness
Joined
Apr 5, 2007
Messages
4,183
This one is bad but it's being blown out of proportion. This isn't some script kiddie exploit like Ryuk. For this to be exploited you need to be able to do this:

1. Determining the VPN client’s virtual IP address which requires the attacker to have compromised the WAP or router and/or be on the adjacent network that the system the attacker is attacking is on. In all those cases you're already fucked.
2. Using the virtual IP address to make inferences about active connections
3. Using the encrypted replies to unsolicited packets to determine the sequence and acknowledgment numbers of the active connection to hijack the TCP session
 
Top