Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.9
CVSSv2

CVE-2019-14899

Published: 11/12/2019 Updated: 01/03/2023
CVSS v2 Base Score: 4.9 | Impact Score: 6.4 | Exploitability Score: 4.4
CVSS v3 Base Score: 7.4 | Impact Score: 5.9 | Exploitability Score: 1.5
VMScore: 437
Vector: AV:A/AC:M/Au:S/C:P/I:P/A:P
Subscribe to Freebsd

Vulnerability Summary

A vulnerability exists in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android that allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream. This provides everything that is needed for an malicious user to hijack active connections inside the VPN tunnel.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

freebsd freebsd -

linux linux kernel -

openbsd openbsd -

apple mac os x

apple tvos

apple iphone os

apple ipados

apple macos 11.0

Mailing Lists

Full Disclosure: APPLE-SA-2020-12-14-4 Additional information for APPLE-SA-2020-11-13-1 macOS Big Sur 11.0.1
<!--X-Body-Begin--> <!--X-User-Header--> Full Disclosure mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> APPLE-SA-2020-12-14-4 Additional information for APPLE-SA-2020-11-13-1 macOS Big Sur 1101 <!--X-Subject-Header-End-- ...
Full Disclosure: APPLE-SA-2020-07-15-2 macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra
<!--X-Body-Begin--> <!--X-User-Header--> Full Disclosure mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> APPLE-SA-2020-07-15-2 macOS Catalina 10156, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra <! ...
Full Disclosure: APPLE-SA-2020-11-13-3 Additional information for APPLE-SA-2020-09-16-1 iOS 14.0 and iPadOS 14.0
<!--X-Body-Begin--> <!--X-User-Header--> Full Disclosure mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> APPLE-SA-2020-11-13-3 Additional information for APPLE-SA-2020-09-16-1 iOS 140 and iPadOS 140 <!--X-Subject-Header-E ...
Full Disclosure: Re: Blind in/on-path attacks against VPN-tunneled connections (CVE-2019-14899 follow-up)
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> Re: Blind in/on-path attacks against VPN-tunneled connections (CVE-2019-14899 follow-up) <!--X-Subject-Header-End--> <!--X-Hea ...
Full Disclosure: Re: [CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections.
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> Re: [CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections <!--X-Subject-Header-End--> <!--X-Head-of-Message-- ...
Full Disclosure: Re: [CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections.
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> Re: [CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections <!--X-Subject-Header-End--> <!--X-Head-of-Message-- ...
Full Disclosure: Re: [CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections.
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> Re: [CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections <!--X-Subject-Header-End--> <!--X-Head-of-Message-- ...

Github Repositories

https://github.com/SailfishOS-sdm660/SailfishOS_Kernel_Defconfig

WARNING: CONFIG_IP_NF_MATCH_ECN is invalid It is unset Allowed values : y, m, ! Comment says: connman: for iptables ecn match WARNING: CONFIG_BLK_CGROUP is invalid It is unset Allowed values : y, ! Comment says: systemd (optional): 0pointerde/blog/projects/cgroups-vs-cgroupshtml WARNING: CONFIG_IP_NF_TARGET_MASQUERADE is invalid It is unset Allowed values : y, m, ! Com

https://github.com/Kicksecure/security-misc

Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings - https://www.kicksecure.com/wiki/Security-misc

Enhances miscellaneous security settings Kernel hardening This section is inspired by the Kernel Self Protection Project (KSPP) It implements all recommended Linux kernel settings by the KSPP and many more kernsecorg/wiki/indexphp/Kernel_Self_Protection_Project sysctl sysctl settings are configured via the /etc/sysctld/30_security-miscconf configuration file

https://github.com/Whonix/security-misc

Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings - https://www.kicksecure.com/wiki/Security-misc

Enhances miscellaneous security settings Kernel hardening This section is inspired by the Kernel Self Protection Project (KSPP) It implements all recommended Linux kernel settings by the KSPP and many more kernsecorg/wiki/indexphp/Kernel_Self_Protection_Project sysctl sysctl settings are configured via the /etc/sysctld/30_security-miscconf configuration file

https://github.com/slingamn/namespaced-openvpn

Wrapper for OpenVPN on Linux solving various privacy issues

namespaced-openvpn namespaced-openvpn is a wrapper script for OpenVPN on Linux that uses network namespaces to solve a variety of deanonymization, information disclosure, and usability issues Relative to OpenVPN's default behavior, it can be used to provide additional hardening or additional isolation (eg, running some processes inside a VPN and some outside it, or runn

Recent Articles

Tricky VPN-busting bug lurks in iOS, Android, Linux distros, macOS, FreeBSD, OpenBSD, say university eggheads
The Register • Shaun Nichols in San Francisco • 06 Dec 2019

OpenVPN, WireGuard, IKEv2/IPSec also vulnerable to tampering flaw, we're told

A bug in the way Unix-flavored systems handle TCP connections could put VPN users at risk of having their encrypted traffic hijacked, it is claimed. The University of New Mexico team of William Tolley, Beau Kujath, and Jedidiah Crandall this week said they've discovered CVE-2019-14899, a security weakness they report to be present in "most" Linux distros, along with Android, iOS, macOS, FreeBSD, and OpenBSD. The upshot is, if exploited, encrypted VPN traffic can be potentially hijacked and disru...

Read more...

References

CWE-300https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14899https://openvpn.net/security-advisory/no-flaws-found-in-openvpn-software/https://support.apple.com/kb/HT211290https://support.apple.com/kb/HT211288https://support.apple.com/kb/HT211289http://seclists.org/fulldisclosure/2020/Jul/24http://seclists.org/fulldisclosure/2020/Jul/23http://seclists.org/fulldisclosure/2020/Jul/25http://www.openwall.com/lists/oss-security/2020/08/13/2http://www.openwall.com/lists/oss-security/2020/10/07/3https://support.apple.com/kb/HT211931https://support.apple.com/kb/HT211850http://seclists.org/fulldisclosure/2020/Nov/20http://seclists.org/fulldisclosure/2020/Dec/32http://www.openwall.com/lists/oss-security/2021/07/05/1https://nvd.nist.govhttps://github.com/SailfishOS-sdm660/SailfishOS_Kernel_Defconfighttps://github.com/Kicksecure/security-mischttps://www.theregister.co.uk/2019/12/06/vpnbusting_bug_spotted/
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27977IMAPlocal usersCVE-2024-32038CVE-2023-49963CVE-2023-22869CVE-2024-31497localCVE-2024-2961
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook