Eugene Grosbein wrote on 2019/12/08 12:33:
08.12.2019 16:25, Miroslav Lachman wrote:
https://www.bleepingcomputer.com/news/security/new-linux-vulnerability-lets-attackers-hijack-vpn-connections/
Security researchers found a new vulnerability allowing potential attackers to
hijack VPN connections on affected *NIX devices and inject arbitrary data
payloads into IPv4 and IPv6 TCP streams.
They disclosed the security flaw tracked as CVE-2019-14899 to distros and the
Linux kernel security team, as well as to others impacted such as Systemd,
Google, Apple, OpenVPN, and WireGuard.
The vulnerability is known to impact most Linux distributions and Unix-like
operating systems including FreeBSD, OpenBSD, macOS, iOS, and Android.
Attacks exploiting CVE-2019-14899 work against OpenVPN, WireGuard, and
IKEv2/IPSec, but the researchers are still testing their feasibility against
Tor.
https://seclists.org/oss-sec/2019/q4/122
Why do these "researchers" call it "new"? There is nothing new in lack of
standard anti-spoofing filtering
for network interfaces of any kind, be it tunnels or not.
Our /etc/rc.firewall has "Stop spoofing" configuration by phk@ since first
revision committed in 1996.
Our gif(4) interface has built-in anti-spoofing feature enabled by default, too.
They need to hype it a bit. It sounds more urgent than "old
vulnerability". And partly because it is new to some Linux distributions
where some antispoof settings were turned off.
cite: We see that the default settings in sysctl.d/50-default.conf in
the systemd repository were changed from “strict” to “loose” mode on
November 28, 2018, so distributions using a version of systemd without
modified configurations after this date are now vulnerable.
Miroslav Lachman
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
