Date: Sun, 8 Dec 2019 21:37:38 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> To: Eugene Grosbein <eugen@grosbein.net>, freebsd-security@freebsd.org Subject: Re: New Linux vulnerability lets attackers hijack VPN connections Message-ID: <e5fd6ebc-6ab7-d1fc-2b5e-8ff3143689a0@quip.cz> In-Reply-To: <55670520-3f6d-2674-bb05-08e78d4d92da@grosbein.net> References: <6b02b7b8-c40d-93d0-319d-15dcf8ac9fd5@quip.cz> <55670520-3f6d-2674-bb05-08e78d4d92da@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Eugene Grosbein wrote on 2019/12/08 12:33: > 08.12.2019 16:25, Miroslav Lachman wrote: > >> https://www.bleepingcomputer.com/news/security/new-linux-vulnerability-lets-attackers-hijack-vpn-connections/ >> >> Security researchers found a new vulnerability allowing potential attackers to hijack VPN connections on affected *NIX devices and inject arbitrary data payloads into IPv4 and IPv6 TCP streams. >> >> They disclosed the security flaw tracked as CVE-2019-14899 to distros and the Linux kernel security team, as well as to others impacted such as Systemd, Google, Apple, OpenVPN, and WireGuard. >> >> The vulnerability is known to impact most Linux distributions and Unix-like operating systems including FreeBSD, OpenBSD, macOS, iOS, and Android. >> >> Attacks exploiting CVE-2019-14899 work against OpenVPN, WireGuard, and IKEv2/IPSec, but the researchers are still testing their feasibility against Tor. >> >> https://seclists.org/oss-sec/2019/q4/122 > > Why do these "researchers" call it "new"? There is nothing new in lack of standard anti-spoofing filtering > for network interfaces of any kind, be it tunnels or not. > > Our /etc/rc.firewall has "Stop spoofing" configuration by phk@ since first revision committed in 1996. > Our gif(4) interface has built-in anti-spoofing feature enabled by default, too. They need to hype it a bit. It sounds more urgent than "old vulnerability". And partly because it is new to some Linux distributions where some antispoof settings were turned off. cite: We see that the default settings in sysctl.d/50-default.conf in the systemd repository were changed from “strict” to “loose” mode on November 28, 2018, so distributions using a version of systemd without modified configurations after this date are now vulnerable. Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e5fd6ebc-6ab7-d1fc-2b5e-8ff3143689a0>