Security_Update_Urgent VPN Affected CVE-2019-14899

[ucmRich]

Hi all,

 

I don't know if this has been posted or not, search didn't find anythings but just in case here goes:

 

I just installed PIA version 1.7 and it mentioned that they patched the CVE-2019-14899 security bug.

 

Apparently it's a extremely bad bug; here is their site blog about it:

 

https://www.privateinternetaccess.com/blog/2019/12/private-internet-access-updates-linux-desktop-client-to-prevent-against-cve-2019-14899/

 

Here's a quote from PIA about affected platforms:

 

 

Quote

When the researchers tested the vulnerability on Linux, they found that most Linux distros were vulnerable. The vulnerability also affects IPv6. Confirmed affected systems include the following, though the list is in no way exhaustive:

• Ubuntu 19.10 (systemd)
• Fedora (systemd)
• Debian 10.2 (systemd)
• Arch 2019.05 (systemd)
• Manjaro 18.1.1 (systemd)
• MX Linux 19 (Mepis+antiX)
• Deepin (rc.d)

 

 

 

The official bulletin can be found here:  https://nvd.nist.gov/vuln/detail/CVE-2019-14899

 

They say that in addition to various Linux distros; FreeBSD, OpenBSD, MacOS, iOS, and Android are affected as well so please patch as soon as you can.

 

Stay safe everyone!

 

 

 

 

[Flying Sausages]

You should dump pia because the company got acquired by another shady company. 

[sazrocks]

Quote

A vulnerability was discovered in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android that allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream.

Well then, this is pretty much a MITM attack. Pretty bad.

[realpetertdm]

NVD data on CVE-2019-14899:

 

https://nvd.nist.gov/vuln/detail/CVE-2019-14899

 

This was originally reported on by media on December 6th:

https://www.bleepingcomputer.com/news/security/new-linux-vulnerability-lets-attackers-hijack-vpn-connections/

 

OpenVPN says:

Quote

No flaws found in OpenVPN software. Our response to the CVE-2019-14899 vulnerability report.

SECURITY ADVISORY

OUR RESPONSE TO THE CVE-2019-14899 VULNERABILITY REPORT

A research team from the University of New Mexico discovered a vulnerability currently being tracked as CVE-2019-14899 which claims that VPN connections can be hijacked on Linux and Unix systems. The report mentioned the OpenVPN protocol. As part of good security principles, we are looking into this and any possible attack vectors, however we have found no flaws in the OpenVPN software.

An initial investigation by our security experts, and experts across the globe, reveals that this issue affects all network interfaces, not VPN in particular.

“It doesn't appear to be a flaw in the OpenVPN software, but a flaw in the configuration of the operating system itself. The issue is more in how the operating system deals with this type of attack in general, rather than anything going wrong in the VPN connection itself,” says OpenVPN Access Server Product Manager, Johan Draaisma.

To our knowledge, the vulnerability is only impacting Linux and Unix systems and requires that the attacker has control over your Internet access point and can therefore reach and affect your computer outside of the VPN, in the local network, for example. Based on this, the attack is somewhat limited, and there is no straight-forward way to retrieve unencrypted data from the VPN connection.

“The issue may actually be located in the Linux operating system settings rather than in our software, but given the serious nature of the attack, we are paying close attention and will consider whatever steps are appropriate to ensure OpenVPN remains safe to use on these affected platforms. For now enabling the ‘reverse path filter’ setting in the OS is a good first step to help protect against this attack,” says Draaisma.

https://openvpn.net/security-advisory/no-flaws-found-in-openvpn-software/

 

[paddy-stone]

I am now glad that I moved my Android client over to proton VPN now.

 

For anyone that doesn't know, you can create a Protonmail account, and then use the free servers at ProtonVPN, it doesn't come with advanced features, they are behind a paywall, but it does come with as standard.

Quote

• 1 simultaneous VPN connection
• Servers in 3 countries
• Medium speed
• No logs policy
• No data limit
• No ads

 

If you need it on more than 1 client, you could make several accounts for example... or get their paid versions for features such as

 

 

https://protonvpn.com/

 

 

Hope this helps someone. I am not associated with them in any way, just want to spread the word about this awesome company.

I have been using Protonmail for years with 2FA, everything encrypted etc.

 

Just for transparency, you may not find a close free server in your location. But for me, living in the UK, I have free servers come up in:

• Netherlands
• USA
• Japan

All other countries, and regions of countries are behind the paywall. I personally advise that the paid versions have some great features, but if all you need is one connection on one device and you have a free server near to you, then go for free.

[ucmRich]

On 12/12/2019 at 12:38 PM, OlympicAssEater said:

You should dump pia because the company got acquired by another shady company. 

Normally I would drop them like you all have but Linus and crew have been trying to get PIA to come on the show to discuss the situation and try to instill proper trust; not to mention I already paid them for 2 years just a few months ago so they wont be giving back my $

 

Originally I was going to go with tunnelbear but the same day i was going to go with them is when they got snatched up and i decided to wait till another vpn could be considered.

 

I didn't go with nordvpn because a friend said not to and he turned out to be right.

 

I am very hopeful that PIA would pull thru the trust barrier whenever they can get on the show with Linus.  I'm going to miss the show today again though, darn real life *shakes fist*

 

May the vpn gods be with us <.<