Page 1 of 1

CVE-2019-14899 Hijacking Bug

Posted: Fri Dec 06, 2019 9:53 pm
by protectivedad
What can I do to mitigate this. I notice that the tun device opened on my android phone has:
cat /proc/sys/net/ipv4/conf/tun0/rp_filter
0

Do you have a way of creating a tunnel with the rp_filter set to 1?

Thanks.

Re: CVE-2019-14899 Hijacking Bug

Posted: Sat Dec 07, 2019 9:33 am
by admin
No, because this setting can be changed only with root permission.
I think that the problem will be fixed by Google with a OS patch.
Anyway I will see if there is some other ways to mitigate the problem...

Re: CVE-2019-14899 Hijacking Bug

Posted: Sat Dec 07, 2019 10:52 am
by protectivedad
Thanks, I appreciate that. I use it to connect to my own private VPN when accessing pubic WIFI. Do you know if this can only be mitigated with client side settings? Will setting the rp_filter on my private VPN server have any effect on this?

Re: CVE-2019-14899 Hijacking Bug

Posted: Sat Dec 07, 2019 3:39 pm
by admin
No, because the problem should be related to the network interfaces handling and the bug can be used only on the local network.

Here you can find the response of OpenVPN team:
https://openvpn.net/security-advisory/n ... -software/

Re: CVE-2019-14899 Hijacking Bug

Posted: Mon Dec 16, 2019 1:00 am
by Cantenna
protectivedad wrote:
Fri Dec 06, 2019 9:53 pm
What can I do to mitigate this. I notice that the tun device opened on my android phone has:
cat /proc/sys/net/ipv4/conf/tun0/rp_filter
0

Do you have a way of creating a tunnel with the rp_filter set to 1?

Thanks.

If your running OPENWRT, this can be mitigated by enabling in /network/firewall "Drop invalid packets".... Which unfortunately make it impossible to communicate with devices via OPENVPN Client by colucci which is actually the reason why I've signed up to this forum in the first place.

Re: CVE-2019-14899 Hijacking Bug

Posted: Mon Dec 16, 2019 8:54 am
by admin
Seem there is a bit of confusion about this issue.
This security flaw should be fixed by a fix in the operating system and cannot be mitigated with changes in the remote server, because this attack is performed on the LAN where is connected the client device.