Security researchers have discovered a new vulnerability that could allow a potential attacker to intercept a VPN connection on an affected * NIX device and inject arbitrary data payloads into IPv4 and IPv6 TCP streams. They have dedicated security flaws tracked as CVE-2019-14899 to distributions and Linux kernel security teams, as well as others affected, such as Systemd, Google, Apple, OpenVPN, and WireGuard.This vulnerability is known to affect most Linux distributions and Unix-like operating systems, including FreeBSD, OpenBSD, macOS, iOS, and Android. A list of currently incomplete vulnerable operating systems and init systems provided can be found below and can be further added if tested and found to be affected.
- Ubuntu 19.10 (System)
- Fedora (System)
- Debian 10.2 (System)
- Arch 2019.05 (System)
- Manjaro 18.1.1 (System)
- Devuan (SysV init)
- MX Linux 19 (Mepis + antiX)
- Void Linux (unit)
- Slackware 14.2 (rc.d)
- Deepin (rc.d)
- FreeBSD (rc.d)
- OpenBSD (rc.d)
All VPN implementations are affected
“This security flaw”, other users are VPN, network adjacent attacker can determine if they are connected to the virtual IP address assigned from the VPN server, and whether there is an active connection to a specific website “On at William J. Tolley, Beau Kujath and Jedidiah R. Crandall, Bad Researcher of the University of New Mexico.
In addition, researchers can determine the exact seq and ack numbers by counting or checking the size of encrypted packets, which allows us to inject data into the TCP
stream and intercept the connection. Attacks that exploit CVE-2019-14899 work against OpenVPN, WireGuard, and IKEv2 / IPSec, but researchers are still testing the feasibility of Tor.
Also, because the size of the packet and the number of packets sent are sufficient, the VPN technique used doesn’t seem to matter because the attack worked during the test, even if the response from the target was encrypted. Types of Data Packets Passed Through an Encrypted VPN Tunnel
This attack did not work for Linux distributions tested until Ubuntu 19.10 was released, and found that the rp_filter setting was set to “loose” mode. On November 28, 2018, the default setting of the system.d / 50-default.conf in the system repository changed from “strict” to “loose” mode, so deployment with a system version without configuration modified after this date is now vulnerable. Most Linux distributions using other init systems we tested to keep the default value of 0, the Linux kernel.
The researchers found that most of the Linux distributions tested were vulnerable to attacks that exploited this flaw. In addition, any distribution that transitions from strict mode to lose mode in a strict deployment mode using a system version released after November 28, 2018, is vulnerable.
Given this, any Linux distribution that uses the system version with the default configuration after this date is vulnerable.
Despite some distributions where certain system versions are vulnerable, the flaw is known to affect various init systems and is not relevant to the system as shown in the list of affected OSes available above.
In addition, Noel Kuntze, a network security consultant, said in a reply to a public report that only route-based VPN implementations are affected by the vulnerability.
The alleged Amazon Web Services staff also mentioned that the Amazon Linux distribution is not affected by attacks that exploit this flaw in AWS VPN products.
According to the researchers, it can be mitigated and potentially achieved by setting up reverse path filtering, using Bogon filtering, filtering out fake (fake) IP addresses, or using encrypted packet size and timing.
The steps required to exploit this vulnerability and run an attack designed to intercept the target’s VPN connection are:
1. Determine the virtual IP address of the VPN client
2. Virtual IP address
Inference about active connections using
The entire procedure for reproducing vulnerabilities in Linux distributions is described in detail in the public report published here.