From owner-freebsd-security@freebsd.org Sun Dec 8 11:37:29 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 79D601E1351 for ; Sun, 8 Dec 2019 11:37:29 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:c2c:26d8::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 47W47D2Pk5z3y3X for ; Sun, 8 Dec 2019 11:37:27 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13:0:0:0:5]) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id xB8BXGHt015933 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 8 Dec 2019 11:33:17 GMT (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: 000.fbsd@quip.cz Received: from [10.58.0.4] ([10.58.0.4]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id xB8BXCmb093884 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sun, 8 Dec 2019 18:33:12 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: New Linux vulnerability lets attackers hijack VPN connections To: Miroslav Lachman <000.fbsd@quip.cz>, freebsd-security@freebsd.org References: <6b02b7b8-c40d-93d0-319d-15dcf8ac9fd5@quip.cz> From: Eugene Grosbein Message-ID: <55670520-3f6d-2674-bb05-08e78d4d92da@grosbein.net> Date: Sun, 8 Dec 2019 18:33:06 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <6b02b7b8-c40d-93d0-319d-15dcf8ac9fd5@quip.cz> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-Spam-Flag: YES X-Spam-Status: Yes, score=5.5 required=5.0 tests=BAYES_00, DATE_IN_FUTURE_48_96, HELO_MISC_IP,LOCAL_FROM,RDNS_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * -0.0 SPF_PASS SPF: sender matches SPF record * 2.2 DATE_IN_FUTURE_48_96 Date: is 48 to 96 hours after Received: * date * 2.6 LOCAL_FROM From my domains * 1.9 RDNS_NONE Delivered to internal network by a host with no rDNS * 1.1 HELO_MISC_IP Looking for more Dynamic IP Relays X-Spam-Level: ***** X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on eg.sd.rdtc.ru X-Rspamd-Queue-Id: 47W47D2Pk5z3y3X X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=permerror (mx1.freebsd.org: domain of eugen@grosbein.net uses mechanism not recognized by this client) smtp.mailfrom=eugen@grosbein.net X-Spamd-Result: default: False [1.27 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.97)[-0.969,0]; SPAM_FLAG(5.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-0.97)[-0.969,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[grosbein.net]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; R_SPF_PERMFAIL(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; IP_SCORE(-1.69)[ip: (-4.49), ipnet: 2a01:4f8::/29(-2.37), asn: 24940(-1.59), country: DE(-0.01)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Dec 2019 11:37:29 -0000 08.12.2019 16:25, Miroslav Lachman wrote: > https://www.bleepingcomputer.com/news/security/new-linux-vulnerability-lets-attackers-hijack-vpn-connections/ > > Security researchers found a new vulnerability allowing potential attackers to hijack VPN connections on affected *NIX devices and inject arbitrary data payloads into IPv4 and IPv6 TCP streams. > > They disclosed the security flaw tracked as CVE-2019-14899 to distros and the Linux kernel security team, as well as to others impacted such as Systemd, Google, Apple, OpenVPN, and WireGuard. > > The vulnerability is known to impact most Linux distributions and Unix-like operating systems including FreeBSD, OpenBSD, macOS, iOS, and Android. > > Attacks exploiting CVE-2019-14899 work against OpenVPN, WireGuard, and IKEv2/IPSec, but the researchers are still testing their feasibility against Tor. > > https://seclists.org/oss-sec/2019/q4/122 Why do these "researchers" call it "new"? There is nothing new in lack of standard anti-spoofing filtering for network interfaces of any kind, be it tunnels or not. Our /etc/rc.firewall has "Stop spoofing" configuration by phk@ since first revision committed in 1996. Our gif(4) interface has built-in anti-spoofing feature enabled by default, too.