The Breakpointing Bad team at the University of New Mexico recently reported a VPN vulnerability that could potentially allow malicious actors to not only see the user’s VPN IP address, but also identify sites they are visiting and inject data into connections. The team consisting of William J. Tolley, Beau Kujath, and Jedidiah R. Crandall notified the public on the issue on December 4th, 2019, adding saying that the vulnerability marked as [CVE-2019-14899] affects many different types of VPN protocols — including OpenVPN, WireGuard, and IKEv2/IPSec.
“We have discovered a vulnerability in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android which allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgment numbers in use, allowing the bad actor to inject data into the TCP stream,” the researchers summarized the vulnerability in their disclosure. “This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel.”
To sum it up, the vulnerability allows attackers such as your internet service provider or even anyone on your network to inject data into the VPN connection using a three-step process.
The researchers tested the vulnerability on Linux, only to find out that most Linux distros were vulnerable. Furthermore, the vulnerability also affects IPv6. Confirmed affected systems include the following:
- Ubuntu 19.10 (systemd)
- Fedora (systemd)
- Debian 10.2 (systemd)
- Arch 2019.05 (systemd)
- Manjaro 18.1.1 (systemd)
- MX Linux 19 (Mepis+antiX)
- Deepin (rc.d)
Private Internet Access (PIA) was first to react and has released an update to its Linux client that mitigates [CVE-2019-14899] from being used to infer any information about our users’ VPN connections. And yes, we expect other VPNs to follow shortly — but we have to give a point to the PIA team for their quick response.
In their blog post announcing the update, PIA notes that its developers have been working round the clock to be the first to market with a production fix for [CVE-2019-14899]. The popular VPN also invites Linux users to download the latest version of Private Internet Access (1.7) for Linux from its download page. So if you’re a PIA user with the Linux system, make sure to do that ASAP. 😉
Pros
Cons
- Fast, reliable download and upload speeds
- Works great for Netflix and torrenting
- Dedicated Chrome and Firefox extensions
- Connect 10 devices simultaneously
- Doesn't work well in China