Return to protonvpn.com Facebook   Twitter   Reddit   Instagram   Mastodon   ProtonMail

Statement from ProtonVPN regarding CVE-2019-14899

Posted on December 13th, 2019 by in Security.

On Dec. 4, security researchers at the IT security site SecLists announced a security flaw known as CVE-2019-14899 that affects all VPNs that use the OpenVPN protocol and most VPNs that use the IKEv2/IPSec protocol In narrow circumstances. This vulnerability cannot be used for mass surveillance. It allows attackers to actively probe (or “guess”) what IP and port a TCP connection is connected to. CVE-2019-14899 could represent a problem for users when they are specifically targeted by an attacker who controls the WiFi or LAN they are connected to, but the high difficulty of executing this attack versus the rather minimal access an attacker receives means this attack is unlikely to be deployed against the average VPN user.

Unfortunately, there is relatively little that VPN services can do themselves to patch the issue because it affects VPN connections by exploiting the operating system. While developers of Android, iOS, and macOS software work to resolve the problem, we are also taking steps to mitigate risks to our users, and we will be implementing a fix to our Linux client. This article describes those steps and explains more about the vulnerability.

What is CVE-2019-14899?

CVE-2019-14899 is not a flaw in any specific VPN service or VPN protocol. Rather, it is a clever exploit of the “weak host model” (for interested readers, here is a good explanation of weak host models), adopted by macOS, iOS, Android, and certain versions of Linux.

The vulnerability is inherent to the default IP routing strategies and policies that are used by route-based protocols (like OpenVPN). Android, iOS, and macOS only allow VPNs that use route-based protocols, so any VPN app on Android, iOS, and macOS is vulnerable. 

The situation is slightly different on Linux, where OpenVPN is a route-based protocol while StrongSwan and IKEv2/IPSec act as policy-based protocols (and thus not affected). The ProtonVPN Linux client uses OpenVPN and is therefore currently vulnerable, though we have identified a fix and are working to implement it. 

Windows apps, including the ProtonVPN Windows app, are not affected.

Learn more about VPN protocols.

Impact of CVE-2019-14899

Contrary to the sensational reporting online, this vulnerability does not permit data packet inspection or large-scale monitoring of user activity. Instead, it allows an attacker to probe a specific, known TCP connection and “guess” if it is connected to a specific destination IP and port. If the attacker guesses the correct IP and port, they will confirm the connection exists. If the connection is unencrypted, the attacker could then inject data into it.

Provided there is no reverse path filtering, an attacker that controls your L2 link (i.e., your WiFi or LAN) can send specially crafted packets to your device. The attacker can then use those packets to actively probe for certain properties of the TCP connections originating from your device. In other words, by controlling a device’s access point to the Internet, an attacker can infer if the user is connected to a specific host and port.

Additionally, if a TCP connection is unencrypted inside the VPN tunnel (if you visit a page that uses HTTP instead of HTTPS, for instance), the attacker can inject packets into that specific unencrypted stream. This would allow an attacker to feed your device fake HTML content for that particular stream. That would be dangerous, but as previously stated, the attacker must target a specific TCP connection, so it is not a simple vulnerability to exploit.

Possible solutions

Linux

To mitigate CVE-2019-14899, Linux clients have two possible solutions:

  • Enable strict reverse path filtering: sysctl net.ipv4.conf.all.rp_filter=1
  • Employ IPTables: iptables -t raw \! -i tun0 -d 10.0.0.0/8 -j DROP

A general workaround for all operating systems would be to separate the L2 of the machine by using a VM or a non-bridged container. In that situation, the kernel of the machine connected to the network has no knowledge of the VPN interface, and therefore cannot leak any information.

We have decided to implement the IPTables solution for our Linux client. We will publish an update on social media when our Linux client has been updated. 

Android

To resolve this vulnerability on an Android device, you would need either a rooted phone, or Android developers would need to address the security flaw by releasing a fix in its operating system. We will closely monitor the progress on this issue on the Android platform.

iOS and macOS

Similarly, the solution for an iOS device would require either a jail-broken phone or Apple developers to fix this vulnerability in its operating system. There is no satisfactory resolution for macOS, either, until Apple provides an operating system update. However, Apple devices are “multihomed” to increase the level of connectivity between them, and CVE-2019-14899 affects precisely this configuration. It seems unlikely that Apple will decide to change this policy. We will closely monitor the situation on macOS and iOS platforms. 

Should I be concerned by this security flaw?

The answer to this question depends on your threat model. This security flaw does not allow mass surveillance, but it can be exploited to monitor individual users who connect to specific access points or LANs controlled by the attacker. If your threat model makes you concerned about this weakness, we advise you to connect to the VPN servers with our Windows app or use our Linux client after we have implemented a fix. If you need to browse privately on an unknown network using an Android, iOS, or macOS device, connecting to the Tor network would also be a solution. 

Please follow us on Reddit, Twitter, or Mastodon or visit this blog for updates on our progress regarding CVE-2019-14899.

Best Regards,
The ProtonVPN Team

To get a free ProtonMail encrypted email account, visit: protonmail.com

Proton was founded by scientists who met at CERN and had the idea that an internet where privacy is the default is essential to preserving freedom. Our team of developers, engineers, and designers from all over the world is working to provide you with secure ways to be in control of your online data.

5 comments

  1. Orlando Smith, Esq.

    Have you informed Apple of this security flaw in iOS and macOS?

  2. Lex

    I’ve been wondering about the scenario. Imo only possible: visit a cafe, connect to it’s network which is compromised. You do browse sites that are typical for your location. https://whynohttps.com/ some here are rly .. mortifying. Apache, MIT, …. (w3 doesn’t seem to be case anymore) If you do happen to browse these sites …. Besides that prob. more usefull for jokes between family and friends. Where else do you have Network-Access, do know the accessed domain (at best HTTP) while the user makes use of a VPN in a Linux/Mobile environment?

  3. R. Daneel Olivaw

    Hello,

    Thank you for reporting this vulnerability. ProtonVPN is the only commercial VPN provider I trust, and I recommend ProtonVPN whenever a VPN is enough for one’s threat model.

    Speaking of this, I find your article’s conclusion misleading. The Tor browser and a VPN have different use cases, and for example a Turkish user shouldn’t use Tor at all. Precisely because the Tor browser (and TAILS) are the best anonymity solution for dissenters, a Turkish Tor user may end up in jail, or worse. On the other hand, VPNs are excellent against geoblocking, on public WiFi, for expats, etc.

    Have you found if this vulnerability affects OpenBSD? I just want to brag about my operating system ;)

    Thank you again.

  4. Lau

    I was waiting for hing kong server working, pla reply when can be finish ?

  5. Lau

    Pls reply when can finish hong kong server maintenance ? I was waiting for over 24 hrs …..

Comments are closed.

Secure your internet

Get ProtonVPN

For customer support inquiries, please submit the following form for the fastest response:
Support Form

For all other inquiries:
contact@protonvpn.com


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v4.10.10
Comment: https://openpgpjs.org

xsBNBFiYeeIBCACpwuYcTsACyjQaqY3tOUonokamGZf3VDuLvcA9nQnu4vlB
n1RFFUJa5Pmf2yZ9EjJFSldTl5lreE3tFf53CcZ9wKa1R6aMnN/0VqURJho0
ZTqevQlCvuJ9kKHkDck3Em0/1WWnhDJgabp+fOa5HAHoAvcNy5gVPuexTT/N
wp6QcfB7w+qFhf73s0bcSn5RC+FAYlQxZVFhFtA7/7LthBVatDJrYLYP9XJd
zOZqz9AX0XZwKal25RcVeGHkNKgloo0bTgro4D88MR7saqXFHTRhy3+Wss7c
uqrh0uIkVmqtadoK/rAbqOyFXQ2DlvSMVrEMLUvwlZbC0taqcKDfNA+FABEB
AAHNLWNvbnRhY3RAcHJvdG9udnBuLmNvbSA8Y29udGFjdEBwcm90b252cG4u
Y29tPsLAfwQQAQgAKQUCWJh54wYLCQcIAwIJEN4dfnhhw11TBBUIAgoDFgIB
AhkBAhsDAh4BAAoJEN4dfnhhw11T6PwIAKgIHTUaEcCFQ5WfmwGpdhRgFe7H
gnHR8UOFPrRKnbCOQgTVPGwCFt8UVFhEgbmtroThU89DpxFSYUOD6nZ2k1X3
X4Q9OsItFUUuhPtLJrkz5ghtZLmsAH/edTRbVU1Ew1E8KbylLFI1J5yId7zR
GdnaTXv/E7P3po5X/b08TFAhXSyYYUbMeQuthbJajtpFygr53lm47cOWa4N8
udqLhmpheaQj04DuqYXOGC08JQn+XbHzhFl5Yvlt9Idk8+7c2UJ0qgWKQ5ZV
mquRAw5HDCQM5OqF1MoImDxOH+tK3PUlvFDsLZ1WPEOHK/EN12sPBx0x1R04
fcPTPdbMwgISGM3OwE0EWJh54gEIALqhrLUpvarPc0nkuHpyJC/MsrIDPLuV
qMc49tgjgDBsyIKJFEP9qCnkSOEixaFi+nTljUSpkHGR+PvEGecmcOdW6djN
QGxon/nwBT9d8HbtxJesaEIzwRAxmqQW9MqNq4UsfNQ0VvUYqV9wEbYfdDT/
jZfz9N0hjFELF1sg3UPcCRijhf162bp+rLQdO9vWVUbOdMQvsM/kyUJ6JMXR
xUtyKC05ddxii2SMr4XUW45ostPbxJybOF5oSZpEb1EIlrTLLPAe/498XlBW
hpRAPe+9ZfNs7drMvUEFnnOXahrXAuaaZpyaS/XBaloqSb1+v2AkUep3dbSF
PaRtbXRMS+kAEQEAAcLAaAQYAQgAEwUCWJh54wkQ3h1+eGHDXVMCGwwACgkQ
3h1+eGHDXVMZ4Qf4hu5N8/uYNDqJMFRIWSCpPGxmyIVXGARG4hgR8gwPZY9K
fReAUndX3uODBNIgZU7I3YntawU1DlP6GpP6yyR/8lfUMNCAXPDmd+zTFYIJ
UDHD8sw2GRrFVzFOKUpAapWFOI4XjSMP2UiK4HgrpUjAhe1wSaa7nEjtAuYT
zFx1QSuQD1iYcOF/FAm7EuhBIfWITjYAobGM6gonPbp3IPHM52rUbulllcdV
vCLs+blcyiVCGZlNcmlg3eibAJJL19TQLqT2DbQvQ/SyVBJGjoT+y4TTRtmZ
cebEjt2KJcc4x2lzPq3z2KJNyJTOTMB+aYD9Ma9IObDds+M/+5XDWi7f
=ueTT
-----END PGP PUBLIC KEY BLOCK-----

You can also Tweet to us:
@ProtonVPN