Statement from Proton VPN regarding CVE-2019-14899

On Dec. 4, security researchers at the IT security site SecLists(new window) announced a security flaw known as CVE-2019-14899 that affects all VPNs that use the OpenVPN protocol and most VPNs that use the IKEv2/IPSec protocol In narrow circumstances. This vulnerability cannot be used for mass surveillance. It allows attackers to actively probe (or “guess”) what IP and port a TCP connection is connected to. CVE-2019-14899 could represent a problem for users when they are specifically targeted by an attacker who controls the WiFi or LAN they are connected to, but the high difficulty of executing this attack versus the rather minimal access an attacker receives means this attack is unlikely to be deployed against the average VPN user.

Unfortunately, there is relatively little that VPN services can do themselves to patch the issue because it affects VPN connections by exploiting the operating system. While developers of Android, iOS, and macOS software work to resolve the problem, we are also taking steps to mitigate risks to our users, and we will be implementing a fix to our Linux client. This article describes those steps and explains more about the vulnerability.

What is CVE-2019-14899?

CVE-2019-14899 is not a flaw in any specific VPN service or VPN protocol. Rather, it is a clever exploit of the “weak host model” (for interested readers, here is a good explanation of weak host models(new window)), adopted by macOS, iOS, Android, and certain versions of Linux.

The vulnerability is inherent to the default IP routing strategies and policies that are used by route-based protocols (like OpenVPN). Android, iOS, and macOS only allow VPNs that use route-based protocols, so any VPN app on Android, iOS, and macOS is vulnerable. 

The situation is slightly different on Linux, where OpenVPN is a route-based protocol while StrongSwan and IKEv2/IPSec act as policy-based protocols (and thus not affected). The Proton VPN Linux client uses OpenVPN and is therefore currently vulnerable, though we have identified a fix and are working to implement it. 

Windows apps, including the Proton VPN Windows app, are not affected.

Learn more about VPN protocols(new window).

Impact of CVE-2019-14899

Contrary to the sensational reporting online, this vulnerability does not permit data packet inspection or large-scale monitoring of user activity. Instead, it allows an attacker to probe a specific, known TCP connection and “guess” if it is connected to a specific destination IP and port. If the attacker guesses the correct IP and port, they will confirm the connection exists. If the connection is unencrypted, the attacker could then inject data into it.

Provided there is no reverse path filtering, an attacker that controls your L2 link (i.e., your WiFi or LAN) can send specially crafted packets to your device. The attacker can then use those packets to actively probe for certain properties of the TCP connections originating from your device. In other words, by controlling a device’s access point to the Internet, an attacker can infer if the user is connected to a specific host and port.

Additionally, if a TCP connection is unencrypted inside the VPN tunnel (if you visit a page that uses HTTP instead of HTTPS, for instance), the attacker can inject packets into that specific unencrypted stream. This would allow an attacker to feed your device fake HTML content for that particular stream. That would be dangerous, but as previously stated, the attacker must target a specific TCP connection, so it is not a simple vulnerability to exploit.

Possible solutions

Linux

To mitigate CVE-2019-14899, Linux clients have two possible solutions:

  • Enable strict reverse path filtering: sysctl net.ipv4.conf.all.rp_filter=1
  • Employ IPTables: iptables -t raw \! -i tun0 -d 10.0.0.0/8 -j DROP

A general workaround for all operating systems would be to separate the L2 of the machine by using a VM or a non-bridged container. In that situation, the kernel of the machine connected to the network has no knowledge of the VPN interface, and therefore cannot leak any information.

We have decided to implement the IPTables solution for our Linux client. We will publish an update on social media when our Linux client has been updated. 

Android

To resolve this vulnerability on an Android device, you would need either a rooted phone, or Android developers would need to address the security flaw by releasing a fix in its operating system. We will closely monitor the progress on this issue on the Android platform.

iOS and macOS

Similarly, the solution for an iOS device would require either a jail-broken phone or Apple developers to fix this vulnerability in its operating system. There is no satisfactory resolution for macOS, either, until Apple provides an operating system update. However, Apple devices are “multihomed” to increase the level of connectivity between them, and CVE-2019-14899 affects precisely this configuration. It seems unlikely that Apple will decide to change this policy. We will closely monitor the situation on macOS and iOS platforms. 

Should I be concerned by this security flaw?

The answer to this question depends on your threat model. This security flaw does not allow mass surveillance, but it can be exploited to monitor individual users who connect to specific access points or LANs controlled by the attacker. If your threat model makes you concerned about this weakness, we advise you to connect to the VPN servers with our Windows app or use our Linux client after we have implemented a fix. If you need to browse privately on an unknown network using an Android, iOS, or macOS device, connecting to the Tor network(new window) would also be a solution. 

Please follow us on Reddit(new window), Twitter(new window), or visit this blog for updates on our progress regarding CVE-2019-14899.

Best Regards,
The Proton VPN Team

To get a free Proton Mail encrypted email account, visit: proton.me/mail(new window)

Related articles

How to fix a 502 error
en
In this article, we explain what a 502 bad gateway error is and explore possible ways to fix it as a visitor to a website.
Watch Thanksgiving Day football with Proton VPN
en
Here's how you can live stream this year's Thanksgiving football games using Proton VPN, whether you're watching from home or abroad.
Where to watch Macy's Thanksgiving day parade
en
Here's how and where to watch Macy's Thanksgiving Day Parade live from anywhere in the world with Proton VPN.
What we've been up to, and what's next
en
Here are the main things Proton VPN delivered this spring and summer and the exciting changes that lie ahead on our product roadmap this winter.
Proton VPN for Windows ARM
en
We’re pleased to announce a new Proton VPN app with native support for Windows devices that use the ARM chipset.
What is doxing and is doxing illegal
en
  • Privacy basics
We look at what doxing is, who does it (and why), and at how to protect yourself from doxing .