  <title>Stay safe on ProtonVPN despite CVE-2019-14899 - ProtonVPN Blog</title>
  <meta name="description" content="There is a new security flaw that affects all VPN services' Android, iOS, and macOS apps. Here's how to mitigate this vulnerability.">
  <meta property="article:section" content="Security">
  <meta property="article:published_time" content="2019-12-13T02:35:15+00:00">
  24. <meta property="article:modified_time" content="2019-12-13T02:35:16+00:00">
  25. <meta property="og:updated_time" content="2019-12-13T02:35:16+00:00">
  152. <div class="container main">
  Statement from ProtonVPN regarding CVE-2019-14899
  154. <div class="row">
  155. <div class="col-lg-9">
  156. <div class="clear"></div>
  157. <h1>Statement from ProtonVPN regarding CVE-2019-14899</h1>
  Posted on December 13th, 2019 by Proton Team in Security.
  159. <div class="entry">
  160. <p>On Dec. 4, security researchers at the <a rel="noreferrer noopener" aria-label=" (opens in a new tab)" href="" target="_blank">IT security site SecLists</a>
  161. announced a security flaw known as CVE-2019-14899 that affects all VPNs
  162. that use the OpenVPN protocol and most VPNs that use the IKEv2/IPSec
  163. protocol In narrow circumstances. <strong>This vulnerability cannot be
  164. used for mass surveillance. It allows attackers to actively probe (or
  165. “guess”) what IP and port a TCP connection is connected to. </strong>CVE-2019-14899
  166. could represent a problem for users when they are specifically targeted
  167. by an attacker who controls the WiFi or LAN they are connected to, but
  168. the high difficulty of executing this attack versus the rather minimal
  169. access an attacker receives means this attack is unlikely to be deployed
  170. against the average VPN user.</p>
  171. <p>Unfortunately, there is relatively little that VPN services can do
  172. themselves to patch the issue because it affects VPN connections by
  173. exploiting the operating system. While developers of Android, iOS, and
  174. macOS software work to resolve the problem, we are also taking steps to
  175. mitigate risks to our users, and we will be implementing a fix to our
  176. Linux client. This article describes those steps and explains more about
  177. the vulnerability.</p>
  178. <h3>What is CVE-2019-14899?</h3>
  179. <p>CVE-2019-14899 is not a flaw in any specific VPN service or VPN
  180. protocol. Rather, it is a clever exploit of the “weak host model” (for
  181. interested readers, here is a good explanation of <a href="" target="_blank" rel="noreferrer noopener" aria-label=" (opens in a new tab)">weak host models</a>), adopted by macOS, iOS, Android, and certain versions of Linux.</p>
  182. <p>The vulnerability is inherent to the default IP routing strategies
  183. and policies that are used by route-based protocols (like OpenVPN).
  184. Android, iOS, and macOS only allow VPNs that use route-based protocols,
  185. so <strong>any VPN app on Android, iOS, and macOS is vulnerable.&nbsp;</strong></p>
  186. <p>The situation is slightly different on Linux, where OpenVPN is a
  187. route-based protocol while StrongSwan and IKEv2/IPSec act as
  188. policy-based protocols (and thus not affected). The ProtonVPN Linux
  189. client uses OpenVPN and is therefore currently vulnerable, though we
  190. have identified a fix and are working to implement it.&nbsp;</p>
  191. <p><strong>Windows apps, including the ProtonVPN Windows app, are not affected.</strong></p>
  192. <p><em>Learn more about <a href="" target="_blank" rel="noreferrer noopener" aria-label=" (opens in a new tab)">VPN protocols</a>.</em></p>
  193. <h3>Impact of CVE-2019-14899</h3>
  194. <p>Contrary to the sensational reporting online, <strong>this vulnerability does not permit data packet inspection or large-scale monitoring of user activity</strong>.
  195. Instead, it allows an attacker to probe a specific, known TCP
  196. connection and “guess” if it is connected to a specific destination IP
  197. and port. If the attacker guesses the correct IP and port, they will
  198. confirm the connection exists. If the connection is unencrypted, the
  199. attacker could then inject data into it.</p>
  200. <p>Provided there is no reverse path filtering, an attacker that
  201. controls your L2 link (i.e., your WiFi or LAN) can send specially
  202. crafted packets to your device. The attacker can then use those packets
  203. to actively probe for certain properties of the TCP connections
  204. originating from your device. In other words, by controlling a device’s
  205. access point to the Internet, an attacker can infer if the user is
  206. connected to a specific host and port.</p>
  207. <p>Additionally, if a TCP connection is unencrypted inside the VPN
  208. tunnel (if you visit a page that uses HTTP instead of HTTPS, for
  209. instance), the attacker can inject packets into that specific
  210. unencrypted stream. This would allow an attacker to feed your device
  211. fake HTML content for that particular stream. That would be dangerous,
  212. but as previously stated, the attacker must target a specific TCP
  213. connection, so it is not a simple vulnerability to exploit.</p>
  214. <h3>Possible solutions</h3>
  215. <p><strong>Linux</strong></p>
  216. <p>To mitigate CVE-2019-14899, Linux clients have two possible solutions:</p>
  217. <ul><li>Enable strict reverse path filtering: <code>sysctl net.ipv4.conf.all.rp_filter=1</code></li><li>Employ IPTables: <code>iptables -t raw \! -i tun0 -d -j DROP</code></li></ul>
  218. <p>A general workaround for all operating systems would be to separate
  219. the L2 of the machine by using a VM or a non-bridged container. In that
  220. situation, the kernel of the machine connected to the network has no
  221. knowledge of the VPN interface, and therefore cannot leak any
  222. information.</p>
  223. <p><strong>We have decided to implement the IPTables solution for our Linux client.</strong> We will publish an update on social media when our Linux client has been updated.&nbsp;</p>
  224. <p><strong>Android</strong></p>
  225. <p>To resolve this vulnerability on an Android device, you would need
  226. either a rooted phone, or Android developers would need to address the
  227. security flaw by releasing a fix in its operating system. We will
  228. closely monitor the progress on this issue on the Android platform.</p>
  229. <p><strong>iOS and macOS</strong></p>
  230. <p>Similarly, the solution for an iOS device would require either a
  231. jail-broken phone or Apple developers to fix this vulnerability in its
  232. operating system. There is no satisfactory resolution for macOS, either,
  233. until Apple provides an operating system update. However, Apple devices
  234. are “multihomed” to increase the level of connectivity between them,
  235. and CVE-2019-14899 affects precisely this configuration. It seems
  236. unlikely that Apple will decide to change this policy. We will closely
  237. monitor the situation on macOS and iOS platforms.&nbsp;</p>
  238. <h3>Should I be concerned by this security flaw?</h3>
  239. <p>The answer to this question depends on your threat model. This
  240. security flaw does not allow mass surveillance, but it can be exploited
  241. to monitor individual users who connect to specific access points or
  242. LANs controlled by the attacker. If your threat model makes you
  243. concerned about this weakness, we advise you to connect to the VPN
  244. servers with our Windows app or use our Linux client after we have
  245. implemented a fix. If you need to browse privately on an unknown network
  246. using an Android, iOS, or macOS device, connecting to the <a href="" target="_blank" rel="noreferrer noopener" aria-label=" (opens in a new tab)">Tor network</a> would also be a solution.&nbsp;</p>
  247. <p>Please follow us on <a href="">Reddit</a>, <a rel="noreferrer noopener" href="" target="_blank">Twitter</a>, or <a href="">Mastodon</a> or visit this blog for updates on our progress regarding CVE-2019-14899.</p>
  248. <p>Best Regards,<br>The ProtonVPN Team</p>
  249. <p></p>
  250. <p><strong>To get a free ProtonMail encrypted email account, visit:&nbsp;</strong><a rel="noreferrer noopener" href="" target="_blank"><strong></strong></a></p>
  251. </div>
  424. </div>
  437. </div>
  438. </div>
