New Linux vulnerability lets attackers hijack VPN connections

Eugene Grosbein eugen at grosbein.net
Sun Dec 8 11:37:29 UTC 2019


08.12.2019 16:25, Miroslav Lachman wrote:

> https://www.bleepingcomputer.com/news/security/new-linux-vulnerability-lets-attackers-hijack-vpn-connections/
> 
> Security researchers found a new vulnerability allowing potential attackers to hijack VPN connections on affected *NIX devices and inject arbitrary data payloads into IPv4 and IPv6 TCP streams.
> 
> They disclosed the security flaw tracked as CVE-2019-14899 to distros and the Linux kernel security team, as well as to others impacted such as Systemd, Google, Apple, OpenVPN, and WireGuard.
> 
> The vulnerability is known to impact most Linux distributions and Unix-like operating systems including FreeBSD, OpenBSD, macOS, iOS, and Android.
> 
> Attacks exploiting CVE-2019-14899 work against OpenVPN, WireGuard, and IKEv2/IPSec, but the researchers are still testing their feasibility against Tor.
> 
> https://seclists.org/oss-sec/2019/q4/122

Why do these "researchers" call it "new"? There is nothing new in lack of standard anti-spoofing filtering
for network interfaces of any kind, be it tunnels or not.

Our /etc/rc.firewall has "Stop spoofing" configuration by phk@ since first revision committed in 1996.
Our gif(4) interface has built-in anti-spoofing feature enabled by default, too.




More information about the freebsd-security mailing list