Bug 1774905 (CVE-2019-14899) - CVE-2019-14899 VPN: an attacker can inject data into the TCP stream which allows a hijack of active connections inside the VPN tunnel
Summary: CVE-2019-14899 VPN: an attacker can inject data into the TCP stream which all...
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2019-14899
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1780527 1780523 1780524 1780525 1780526
Blocks: 1776178
TreeView+ depends on / blocked
 
Reported: 2019-11-21 09:34 UTC by Marian Rehak
Modified: 2021-02-16 21:02 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in openvpn. A malicous access point or adjacent user can determine if a connected user is using a VPN by making positive inferences about the websites they are visiting, and determining the correct sequence and acknowledgement numbers in use, which allows the attacker to inject data into the TCP stream. With this information, an attacker could hijack an active connection inside the VPN tunnel. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2019-12-10 19:24:04 UTC
Embargoed:


Attachments (Terms of Use)

Description Marian Rehak 2019-11-21 09:34:04 UTC
A malicious access point, or an adjacent user,  to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream. This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel.

Comment 2 msiddiqu 2019-12-06 09:47:11 UTC
Created ike tracking bugs for this issue:

Affects: epel-6 [bug 1780526]
Affects: epel-8 [bug 1780527]
Affects: fedora-all [bug 1780525]


Created openvpn tracking bugs for this issue:

Affects: epel-all [bug 1780524]
Affects: fedora-all [bug 1780523]

Comment 3 Product Security DevOps Team 2019-12-06 13:04:50 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Comment 9 Product Security DevOps Team 2019-12-10 19:24:04 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Comment 11 msiddiqu 2019-12-11 10:53:44 UTC
External References:   

https://openvpn.net/security-advisory/no-flaws-found-in-openvpn-software/

Comment 13 Steve Susbauer 2019-12-13 02:55:08 UTC
To quote the original message to oss-sec, "This vulnerability works against OpenVPN, WireGuard, and IKEv2/IPSec"

Are the implementations of IKEv2 and IPSec in RHEL vulnerable based on the systemd configuration? What about libreswan?

Comment 14 David Sommerseth 2019-12-13 09:05:52 UTC
(In reply to Steve Susbauer from comment #13)
> To quote the original message to oss-sec, "This vulnerability works against
> OpenVPN, WireGuard, and IKEv2/IPSec"
> 
> Are the implementations of IKEv2 and IPSec in RHEL vulnerable based on the
> systemd configuration? What about libreswan?

I believe this issue not strictly tied to any specific VPN solution, the paper just used VPN as one potential attack vector.  This issue goes deeper into how the network stack in the kernel works in general (related to the host model [1]) and could typically work against any network interface.

My personal opinion about this research paper and CVE is that it is not describing the issue clearly enough and instead points fingers at several specific VPN solutions.  And then most media goes wild while not fully understanding the paper, but since it mentions several VPN solutions they ignore the finer details and claims in bold headlines that "VPN solution FOOBAR is broken".  What is also an important detail, this paper proposes three potential mitigations; only one of them would be applicable for the VPN implementations - and if I understood some replies, IPSec even has this feature proposed available today but is disabled by default (and I don't believe it is disabled by default for a security reason, but more a performance reason).

[1] https://en.wikipedia.org/wiki/Host_model

Comment 15 Paul Wouters 2019-12-13 15:05:55 UTC
The Linux XFRM IPsec implementation provides hooks that are not bypassed by any kind of routing. It ensures packets that should have been encrypted are not received plaintext, and drops those that are. So I strongly suspect that our IKE/IPsec solution (libreswan + Linux kernel) is not vulnerable to this, irrespective of how the init system or administrator setup the rp_filter options.

however, I am still in the process of writing up test cases that confirm my expectation before I do a write up on this.

Comment 16 Eric Christensen 2020-05-06 14:50:16 UTC
Statement:

This issue did not affect Red Hat Enterprise Linux 5, 6, 7, and 8 as openvpn package is currently not provided in any of our supported products.


Note You need to log in before you can comment on or make changes to this bug.