New Linux vulnerability lets attackers hijack VPN connections

[Miroslav Lachman]

Eugene Grosbein wrote on 2019/12/08 12:33:
> 08.12.2019 16:25, Miroslav Lachman wrote:
> 
>> https://www.bleepingcomputer.com/news/security/new-linux-vulnerability-lets-attackers-hijack-vpn-connections/
>>
>> Security researchers found a new vulnerability allowing potential attackers to hijack VPN connections on affected *NIX devices and inject arbitrary data payloads into IPv4 and IPv6 TCP streams.
>>
>> They disclosed the security flaw tracked as CVE-2019-14899 to distros and the Linux kernel security team, as well as to others impacted such as Systemd, Google, Apple, OpenVPN, and WireGuard.
>>
>> The vulnerability is known to impact most Linux distributions and Unix-like operating systems including FreeBSD, OpenBSD, macOS, iOS, and Android.
>>
>> Attacks exploiting CVE-2019-14899 work against OpenVPN, WireGuard, and IKEv2/IPSec, but the researchers are still testing their feasibility against Tor.
>>
>> https://seclists.org/oss-sec/2019/q4/122
> 
> Why do these "researchers" call it "new"? There is nothing new in lack of standard anti-spoofing filtering
> for network interfaces of any kind, be it tunnels or not.
> 
> Our /etc/rc.firewall has "Stop spoofing" configuration by phk@ since first revision committed in 1996.
> Our gif(4) interface has built-in anti-spoofing feature enabled by default, too.

They need to hype it a bit. It sounds more urgent than "old 
vulnerability". And partly because it is new to some Linux distributions 
where some antispoof settings were turned off.

cite: We see that the default settings in sysctl.d/50-default.conf in 
the systemd repository were changed from “strict” to “loose” mode on 
November 28, 2018, so distributions using a version of systemd without 
modified configurations after this date are now vulnerable.


Miroslav Lachman