CVE-2019-14899 Vulnerability Lets Attackers Sniff or Hijack VPN on *nix based

[CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections.
https://seclists.org/oss-sec/2019/q4/122

https://seclists.org/oss-sec/2019/q4/123

sysctl.d: switch net.ipv4.conf.all.rp_filter from 1 to 2

1 Like

@LTS_Tom - thanks so much for posting this - very helpful analysis since I was having trouble digesting the news.
Although FreeBSD was mentioned in the disclosure, I hope that a default install of pfsense would be hardened against this problem, for those ppl using vpn client on their pfsense box.

1 Like

Just a reminder, and as I said in the video, this is a client side issue, not server. I am also less than clear if this would work when pfsnse is a client with a public WAN. As far as I know pfsense does not accept the packets and I am doubting it would use the rp_filter - loose option to allow packets to come in that way.

2 Likes

@LTS_Tom

Thanks for explanation. Iā€™m no security researcher however this attack seems very difficult to pull off in the wild. Thanks for your explanation.

Question does this apply only to systems running systemd as opposed to the classic init system?

Short answer is no. The change was made on November 28 2018 in the systemd github, but it is also the defualt setting on some other systems not running systemd. So it really depends on each distro if they changed the rp_filter setting.

Thanks Tom, need to do a little checking.

You can test if you system is using rp_filter = 2 by typing
sudo sysctl --all | grep "\.\rp_filter"

Ubuntu 19.10 and by extension Pop_OS 19.10 have it set for each adapter

net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.enp0s31f6.rp_filter = 2
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.wlp5s0.rp_filter = 2