New vulnerability could hijack VPN connections in Linux

Linux VPN vulnerability

A new vulnerability has been discovered in Linux that is so recent that its description has not yet been included. It's about the CVE-2019-14899, a vulnerability that would allow malicious users hijack VPN connections. Although most of the media talk about a security flaw that affects Linux, the truth is that it also affects other Unix-based operating systems, such as FreeBSD and OpenBSD. The list does not mention Apple's macOS, but they have notified the Cupertino company to take action.

The partial list of affected systems, the one you have after the hack, includes only a small group of operating systems. But, taking into account what appears in this list, we can say that the vulnerability affects the majority of Linux users. The good news is that affected companies such as the Linux kernel security team, Google, Apple, Systemd, WireGuard, and OpenVPN, have already been informed about the bug and as of this writing they should already be working on a patch to fix it.

VPN failure affects these operating systems, among others

  • Ubuntu 19.10 (Systemd)
  • Fedora (systemd)
  • Debian 10.2 (systemd)
  • Arch 2019.05 (systemd)
  • Manjaro 18.1.1 (systemd)
  • Devuan (sysV init)
  • MX Linux 19 (Mepis + antiX)
  • Void Linux (runit)
  • Slackware 14.2 (rc.d)
  • Deepin (rc.d)
  • FreeBSD (rc.d)
  • OpenBSD (rc.d)

This security breach allows an adjacent attacker on the network knows if another user is connected to the same server VPN. The attacker can also determine whether or not the user is connected to a certain website. In addition, they can determine the exact sequence and recognized numbers. After which they examine the sending of the packet, which leads to data injection and finally connection hijacking.

To protect ourselves from the potential attack, what we have to do is enable reverse path filtering using bogon filtering. On the other hand, it is also worth it keep an eye out for security updates offered by our operating system and install them as soon as they are ready.


4 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Caesar Salad said

    Thanks for letting me know.

  2.   Mariano said

    Since when are there so many vulnerabilities and security problems in Linux? A while ago I never saw articles about security issues.

  3.   zoharis said

    It is news in Linux because it is something very rare.
    Of the wide variety of distributions out there, it only attacks those few and can be fixed.
    In Windows it is nothing new, because it always has problems and we cannot solve them, we have to wait for patches and updates that fix one thing and damage 10.

    1.    Pepe said

      Linux always has problems when updating to a new version of the operating system and something also always fails, it is not news in forums. You run out of audio, wifi, no interface ... or whatever you like at the time.