Date: Sun, 8 Dec 2019 18:33:06 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: Miroslav Lachman <000.fbsd@quip.cz>, freebsd-security@freebsd.org Subject: Re: New Linux vulnerability lets attackers hijack VPN connections Message-ID: <55670520-3f6d-2674-bb05-08e78d4d92da@grosbein.net> In-Reply-To: <6b02b7b8-c40d-93d0-319d-15dcf8ac9fd5@quip.cz> References: <6b02b7b8-c40d-93d0-319d-15dcf8ac9fd5@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
08.12.2019 16:25, Miroslav Lachman wrote: > https://www.bleepingcomputer.com/news/security/new-linux-vulnerability-lets-attackers-hijack-vpn-connections/ > > Security researchers found a new vulnerability allowing potential attackers to hijack VPN connections on affected *NIX devices and inject arbitrary data payloads into IPv4 and IPv6 TCP streams. > > They disclosed the security flaw tracked as CVE-2019-14899 to distros and the Linux kernel security team, as well as to others impacted such as Systemd, Google, Apple, OpenVPN, and WireGuard. > > The vulnerability is known to impact most Linux distributions and Unix-like operating systems including FreeBSD, OpenBSD, macOS, iOS, and Android. > > Attacks exploiting CVE-2019-14899 work against OpenVPN, WireGuard, and IKEv2/IPSec, but the researchers are still testing their feasibility against Tor. > > https://seclists.org/oss-sec/2019/q4/122 Why do these "researchers" call it "new"? There is nothing new in lack of standard anti-spoofing filtering for network interfaces of any kind, be it tunnels or not. Our /etc/rc.firewall has "Stop spoofing" configuration by phk@ since first revision committed in 1996. Our gif(4) interface has built-in anti-spoofing feature enabled by default, too.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55670520-3f6d-2674-bb05-08e78d4d92da>