CVE-2019-14899 Hijacking Bug

Support requests about OpenVPN Client
Post Reply
protectivedad
Posts: 2
Joined: Fri Dec 06, 2019 9:48 pm

CVE-2019-14899 Hijacking Bug

Post by protectivedad »

What can I do to mitigate this. I notice that the tun device opened on my android phone has:
cat /proc/sys/net/ipv4/conf/tun0/rp_filter
0

Do you have a way of creating a tunnel with the rp_filter set to 1?

Thanks.

admin
Site Admin
Posts: 615
Joined: Fri Feb 15, 2019 4:04 pm
Contact:

Re: CVE-2019-14899 Hijacking Bug

Post by admin »

No, because this setting can be changed only with root permission.
I think that the problem will be fixed by Google with a OS patch.
Anyway I will see if there is some other ways to mitigate the problem...

protectivedad
Posts: 2
Joined: Fri Dec 06, 2019 9:48 pm

Re: CVE-2019-14899 Hijacking Bug

Post by protectivedad »

Thanks, I appreciate that. I use it to connect to my own private VPN when accessing pubic WIFI. Do you know if this can only be mitigated with client side settings? Will setting the rp_filter on my private VPN server have any effect on this?

admin
Site Admin
Posts: 615
Joined: Fri Feb 15, 2019 4:04 pm
Contact:

Re: CVE-2019-14899 Hijacking Bug

Post by admin »

No, because the problem should be related to the network interfaces handling and the bug can be used only on the local network.

Here you can find the response of OpenVPN team:
https://openvpn.net/security-advisory/n ... -software/

Cantenna
Posts: 11
Joined: Mon Dec 16, 2019 12:33 am

Re: CVE-2019-14899 Hijacking Bug

Post by Cantenna »

protectivedad wrote:
Fri Dec 06, 2019 9:53 pm
What can I do to mitigate this. I notice that the tun device opened on my android phone has:
cat /proc/sys/net/ipv4/conf/tun0/rp_filter
0

Do you have a way of creating a tunnel with the rp_filter set to 1?

Thanks.

If your running OPENWRT, this can be mitigated by enabling in /network/firewall "Drop invalid packets".... Which unfortunately make it impossible to communicate with devices via OPENVPN Client by colucci which is actually the reason why I've signed up to this forum in the first place.

admin
Site Admin
Posts: 615
Joined: Fri Feb 15, 2019 4:04 pm
Contact:

Re: CVE-2019-14899 Hijacking Bug

Post by admin »

Seem there is a bit of confusion about this issue.
This security flaw should be fixed by a fix in the operating system and cannot be mitigated with changes in the remote server, because this attack is performed on the LAN where is connected the client device.

Post Reply