Statement from Proton VPN regarding CVE-2019-14899

On Dec. 4, security researchers at the IT security site SecLists(new window) announced a security flaw known as CVE-2019-14899 that affects all VPNs that use the OpenVPN protocol and most VPNs that use the IKEv2/IPSec protocol In narrow circumstances. This vulnerability cannot be used for mass surveillance. It allows attackers to actively probe (or “guess”) what IP and port a TCP connection is connected to. CVE-2019-14899 could represent a problem for users when they are specifically targeted by an attacker who controls the WiFi or LAN they are connected to, but the high difficulty of executing this attack versus the rather minimal access an attacker receives means this attack is unlikely to be deployed against the average VPN user.

Unfortunately, there is relatively little that VPN services can do themselves to patch the issue because it affects VPN connections by exploiting the operating system. While developers of Android, iOS, and macOS software work to resolve the problem, we are also taking steps to mitigate risks to our users, and we will be implementing a fix to our Linux client. This article describes those steps and explains more about the vulnerability.

What is CVE-2019-14899?

CVE-2019-14899 is not a flaw in any specific VPN service or VPN protocol. Rather, it is a clever exploit of the “weak host model” (for interested readers, here is a good explanation of weak host models(new window)), adopted by macOS, iOS, Android, and certain versions of Linux.

The vulnerability is inherent to the default IP routing strategies and policies that are used by route-based protocols (like OpenVPN). Android, iOS, and macOS only allow VPNs that use route-based protocols, so any VPN app on Android, iOS, and macOS is vulnerable. 

The situation is slightly different on Linux, where OpenVPN is a route-based protocol while StrongSwan and IKEv2/IPSec act as policy-based protocols (and thus not affected). The Proton VPN Linux client uses OpenVPN and is therefore currently vulnerable, though we have identified a fix and are working to implement it. 

Windows apps, including the Proton VPN Windows app, are not affected.

Learn more about VPN protocols(new window).

Impact of CVE-2019-14899

Contrary to the sensational reporting online, this vulnerability does not permit data packet inspection or large-scale monitoring of user activity. Instead, it allows an attacker to probe a specific, known TCP connection and “guess” if it is connected to a specific destination IP and port. If the attacker guesses the correct IP and port, they will confirm the connection exists. If the connection is unencrypted, the attacker could then inject data into it.

Provided there is no reverse path filtering, an attacker that controls your L2 link (i.e., your WiFi or LAN) can send specially crafted packets to your device. The attacker can then use those packets to actively probe for certain properties of the TCP connections originating from your device. In other words, by controlling a device’s access point to the Internet, an attacker can infer if the user is connected to a specific host and port.

Additionally, if a TCP connection is unencrypted inside the VPN tunnel (if you visit a page that uses HTTP instead of HTTPS, for instance), the attacker can inject packets into that specific unencrypted stream. This would allow an attacker to feed your device fake HTML content for that particular stream. That would be dangerous, but as previously stated, the attacker must target a specific TCP connection, so it is not a simple vulnerability to exploit.

Possible solutions

Linux

To mitigate CVE-2019-14899, Linux clients have two possible solutions:

  • Enable strict reverse path filtering: sysctl net.ipv4.conf.all.rp_filter=1
  • Employ IPTables: iptables -t raw \! -i tun0 -d 10.0.0.0/8 -j DROP

A general workaround for all operating systems would be to separate the L2 of the machine by using a VM or a non-bridged container. In that situation, the kernel of the machine connected to the network has no knowledge of the VPN interface, and therefore cannot leak any information.

We have decided to implement the IPTables solution for our Linux client. We will publish an update on social media when our Linux client has been updated. 

Android

To resolve this vulnerability on an Android device, you would need either a rooted phone, or Android developers would need to address the security flaw by releasing a fix in its operating system. We will closely monitor the progress on this issue on the Android platform.

iOS and macOS

Similarly, the solution for an iOS device would require either a jail-broken phone or Apple developers to fix this vulnerability in its operating system. There is no satisfactory resolution for macOS, either, until Apple provides an operating system update. However, Apple devices are “multihomed” to increase the level of connectivity between them, and CVE-2019-14899 affects precisely this configuration. It seems unlikely that Apple will decide to change this policy. We will closely monitor the situation on macOS and iOS platforms. 

Should I be concerned by this security flaw?

The answer to this question depends on your threat model. This security flaw does not allow mass surveillance, but it can be exploited to monitor individual users who connect to specific access points or LANs controlled by the attacker. If your threat model makes you concerned about this weakness, we advise you to connect to the VPN servers with our Windows app or use our Linux client after we have implemented a fix. If you need to browse privately on an unknown network using an Android, iOS, or macOS device, connecting to the Tor network(new window) would also be a solution. 

Please follow us on Reddit(new window), Twitter(new window), or visit this blog for updates on our progress regarding CVE-2019-14899.

Best Regards,
The Proton VPN Team

To get a free Proton Mail encrypted email account, visit: proton.me/mail(new window)

Protect your privacy and security online
Get Proton VPN free

Related articles

VPN on mobile device
Growing public awareness about the threat posed to our fundamental right to privacy by online trackers has fueled a surge in VPN adoption, a trend that has been boosted thanks to people spending more time online due to the Covid-19 pandemic. Althoug
Tor over VPN
  • Privacy deep dives
Tor is a powerful privacy tool, but you may not want to use Tor all by itself. Learn why you may want to connect to Tor over a VPN. When you connect to the Internet, especially if you’re using public WiFi, there’s a good chance people are watching y
Smart TV privacy
Smart TVs are essentially televisions that can watch you. Their surge in popularity, along with smart speakers, means corporations (and anyone that can hack these devices) have another window through which they can view your private activity. The dat
Expats should use a VPN
Living abroad can be an adventure, but it also presents unique online privacy obstacles. A VPN can help expats stay in touch with their family and avoid Internet censorship. In the age of the “digital nomad” more and more people are moving abroad. L
The internet is full of information, but some of it is inappropriate, especially for kids and sensitive adults. SafeSearch can help filter out this content to make browsing safer and improve your children’s privacy online. This article explains how
IP whitelisting best practices
IP whitelisting is a security mechanism that restricts access to networks, systems, or applications based on approved IP addresses. Only IP addresses on the whitelist are permitted to connect, while all others are denied access. This method is typica