Follow

For those of you that use VPN: "CVE-2019-14899 - Inferring and hijacking VPN-tunneled TCP connections." sounds like a load of fun:

<Here is a list of the operating systems we have tested which are
vulnerable to this attack:

Ubuntu 19.10 (systemd)
Fedora (systemd)
Debian 10.2 (systemd)
Arch 2019.05 (systemd)
Manjaro 18.1.1 (systemd)

Devuan (sysV init)
MX Linux 19 (Mepis+antiX)
Void Linux (runit)

Slackware 14.2 (rc.d)
Deepin (rc.d)
FreeBSD (rc.d)
OpenBSD (rc.d)

This list isn’t exhaustive>

Here is a link to the full write-up on the OSS Security mailing list:

openwall.com/lists/oss-securit

I'd like to know which vendor is going to react first...

<< This vulnerability works against OpenVPN, WireGuard, and IKEv2/IPSec, but has not been thoroughly tested against tor, but we believe it is not vulnerable since it operates in a SOCKS layer and includes authentication and encryption that happens in userspace.>>

TL;DR: pretty much everyone is vulnerable, except Tor. Ooops.

@ParadeGrotesque Then tunneled browsing over ssh should be immune too as that method uses socks?

@gemlog

Sounds very likely.

Since this is what I use all the time, I feel much better about certain technical choices I made long ago... 😋

@ParadeGrotesque
Ooh, glad I don't use VPN.

According to the report:
seclists.org/oss-sec/2019/q4/1
the vulnerability also exists in Android, which might account for a lot of users. MacOS and iOS are also included.

Sign in to participate in the conversation
Mastodon @ SDF

"I appreciate SDF but it's a general-purpose server and the name doesn't make it obvious that it's about art." - Eugen Rochko