Statement from Proton VPN regarding CVE-2019-14899

On Dec. 4, security researchers at the IT security site SecLists(new window) announced a security flaw known as CVE-2019-14899 that affects all VPNs that use the OpenVPN protocol and most VPNs that use the IKEv2/IPSec protocol In narrow circumstances. This vulnerability cannot be used for mass surveillance. It allows attackers to actively probe (or “guess”) what IP and port a TCP connection is connected to. CVE-2019-14899 could represent a problem for users when they are specifically targeted by an attacker who controls the WiFi or LAN they are connected to, but the high difficulty of executing this attack versus the rather minimal access an attacker receives means this attack is unlikely to be deployed against the average VPN user.

Unfortunately, there is relatively little that VPN services can do themselves to patch the issue because it affects VPN connections by exploiting the operating system. While developers of Android, iOS, and macOS software work to resolve the problem, we are also taking steps to mitigate risks to our users, and we will be implementing a fix to our Linux client. This article describes those steps and explains more about the vulnerability.

What is CVE-2019-14899?

CVE-2019-14899 is not a flaw in any specific VPN service or VPN protocol. Rather, it is a clever exploit of the “weak host model” (for interested readers, here is a good explanation of weak host models(new window)), adopted by macOS, iOS, Android, and certain versions of Linux.

The vulnerability is inherent to the default IP routing strategies and policies that are used by route-based protocols (like OpenVPN). Android, iOS, and macOS only allow VPNs that use route-based protocols, so any VPN app on Android, iOS, and macOS is vulnerable. 

The situation is slightly different on Linux, where OpenVPN is a route-based protocol while StrongSwan and IKEv2/IPSec act as policy-based protocols (and thus not affected). The Proton VPN Linux client uses OpenVPN and is therefore currently vulnerable, though we have identified a fix and are working to implement it. 

Windows apps, including the Proton VPN Windows app, are not affected.

Learn more about VPN protocols(new window).

Impact of CVE-2019-14899

Contrary to the sensational reporting online, this vulnerability does not permit data packet inspection or large-scale monitoring of user activity. Instead, it allows an attacker to probe a specific, known TCP connection and “guess” if it is connected to a specific destination IP and port. If the attacker guesses the correct IP and port, they will confirm the connection exists. If the connection is unencrypted, the attacker could then inject data into it.

Provided there is no reverse path filtering, an attacker that controls your L2 link (i.e., your WiFi or LAN) can send specially crafted packets to your device. The attacker can then use those packets to actively probe for certain properties of the TCP connections originating from your device. In other words, by controlling a device’s access point to the Internet, an attacker can infer if the user is connected to a specific host and port.

Additionally, if a TCP connection is unencrypted inside the VPN tunnel (if you visit a page that uses HTTP instead of HTTPS, for instance), the attacker can inject packets into that specific unencrypted stream. This would allow an attacker to feed your device fake HTML content for that particular stream. That would be dangerous, but as previously stated, the attacker must target a specific TCP connection, so it is not a simple vulnerability to exploit.

Possible solutions


To mitigate CVE-2019-14899, Linux clients have two possible solutions:

  • Enable strict reverse path filtering: sysctl net.ipv4.conf.all.rp_filter=1
  • Employ IPTables: iptables -t raw \! -i tun0 -d -j DROP

A general workaround for all operating systems would be to separate the L2 of the machine by using a VM or a non-bridged container. In that situation, the kernel of the machine connected to the network has no knowledge of the VPN interface, and therefore cannot leak any information.

We have decided to implement the IPTables solution for our Linux client. We will publish an update on social media when our Linux client has been updated. 


To resolve this vulnerability on an Android device, you would need either a rooted phone, or Android developers would need to address the security flaw by releasing a fix in its operating system. We will closely monitor the progress on this issue on the Android platform.

iOS and macOS

Similarly, the solution for an iOS device would require either a jail-broken phone or Apple developers to fix this vulnerability in its operating system. There is no satisfactory resolution for macOS, either, until Apple provides an operating system update. However, Apple devices are “multihomed” to increase the level of connectivity between them, and CVE-2019-14899 affects precisely this configuration. It seems unlikely that Apple will decide to change this policy. We will closely monitor the situation on macOS and iOS platforms. 

Should I be concerned by this security flaw?

The answer to this question depends on your threat model. This security flaw does not allow mass surveillance, but it can be exploited to monitor individual users who connect to specific access points or LANs controlled by the attacker. If your threat model makes you concerned about this weakness, we advise you to connect to the VPN servers with our Windows app or use our Linux client after we have implemented a fix. If you need to browse privately on an unknown network using an Android, iOS, or macOS device, connecting to the Tor network(new window) would also be a solution. 

Please follow us on Reddit(new window), Twitter(new window), or visit this blog for updates on our progress regarding CVE-2019-14899.

Best Regards,
The Proton VPN Team

To get a free Proton Mail encrypted email account, visit: window)

Protect your privacy and security online
Get Proton VPN free

Related articles

What is AirTag stalking?
In an era of “smart devices” that often double as spy devices, AirTags are tracking tools that are open about their function and can be vital in helping locate lost items (as anyone who has lost their car keys can attest to). However, as a recent cla
How to fix a "Your connection is not safe" error
As you surf the web using your browser, you’ll no doubt encounter websites that your browser will refuse to load, instead showing some variation of an error message, such as Your connection is not private or Warning: Potential Security Risk Ahead. 
Your search history is a window into your inner life. Anyone with access to it knows what your hobbies and interests are, your sexual orientation and preferences, the things that worry you (for example your medical concerns), your political affiliati
how to flush dns blog
  • Privacy deep dives
A DNS cache is a record of all the websites you’ve visited over a set amount of time. Simply put, your DNS cache is a list of websites you visited in the past that’s stored on your device. Your computer uses it to speed up visits to those same websit
Is Temu legit?
  • Privacy basics
Temu has become an unavoidable brand. Unknown to most up to a year ago, the online retailer exploded onto the digital scene in the United States with lavish ads and a riveting social media campaign, and has started its takeover in Europe now, too. As
We examIne whether the controversial Chinese video platform is safe to use
  • Privacy basics
In this article, we take an in-depth look at whether the wildly popular social media platform TikTok is safe to use. Several countries recently banned government officials from using TikTok, and now the US House of Representatives has passed the Pro