Miroslav Lachman
2019-Dec-08 09:25 UTC
New Linux vulnerability lets attackers hijack VPN connections
https://www.bleepingcomputer.com/news/security/new-linux-vulnerability-lets-attackers-hijack-vpn-connections/ Security researchers found a new vulnerability allowing potential attackers to hijack VPN connections on affected *NIX devices and inject arbitrary data payloads into IPv4 and IPv6 TCP streams. They disclosed the security flaw tracked as CVE-2019-14899 to distros and the Linux kernel security team, as well as to others impacted such as Systemd, Google, Apple, OpenVPN, and WireGuard. The vulnerability is known to impact most Linux distributions and Unix-like operating systems including FreeBSD, OpenBSD, macOS, iOS, and Android. Attacks exploiting CVE-2019-14899 work against OpenVPN, WireGuard, and IKEv2/IPSec, but the researchers are still testing their feasibility against Tor. https://seclists.org/oss-sec/2019/q4/122 -- Miroslav Lachman
Eugene Grosbein
2019-Dec-08 11:33 UTC
New Linux vulnerability lets attackers hijack VPN connections
08.12.2019 16:25, Miroslav Lachman wrote:> https://www.bleepingcomputer.com/news/security/new-linux-vulnerability-lets-attackers-hijack-vpn-connections/ > > Security researchers found a new vulnerability allowing potential attackers to hijack VPN connections on affected *NIX devices and inject arbitrary data payloads into IPv4 and IPv6 TCP streams. > > They disclosed the security flaw tracked as CVE-2019-14899 to distros and the Linux kernel security team, as well as to others impacted such as Systemd, Google, Apple, OpenVPN, and WireGuard. > > The vulnerability is known to impact most Linux distributions and Unix-like operating systems including FreeBSD, OpenBSD, macOS, iOS, and Android. > > Attacks exploiting CVE-2019-14899 work against OpenVPN, WireGuard, and IKEv2/IPSec, but the researchers are still testing their feasibility against Tor. > > https://seclists.org/oss-sec/2019/q4/122Why do these "researchers" call it "new"? There is nothing new in lack of standard anti-spoofing filtering for network interfaces of any kind, be it tunnels or not. Our /etc/rc.firewall has "Stop spoofing" configuration by phk@ since first revision committed in 1996. Our gif(4) interface has built-in anti-spoofing feature enabled by default, too.