Breakpointing-Bad-Public
/
vpn-attacks
7
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
30 Commits
1 Branch
0 Tags
530 MiB
Tree: 415cbb0b25
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '415cbb0b25'
${ noResults }
vpn-attacks/vendor-patches/WireGuard/Regarding 'Inferring and hi...

124 lines
9.3 KiB
Raw Normal View History

Adding uncompressed vendor and disclosure info
4 years ago
  1. <html><head>
  2. <meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>Regarding "Inferring and hijacking VPN-tunneled TCP connections" - Jason A. Donenfeld</title><link rel="alternate" title="Atom feed" href="https://lore.kernel.org/wireguard/new.atom" type="application/atom+xml"><style>pre{white-space:pre-wrap}*{font-size:100%;font-family:monospace}</style><link type="text/css" rel="stylesheet" href="Regarding%20'Inferring%20and%20hijacking%20VPN-tunneled%20TCP%20connections'%20-%20Jason%20A.%20Donenfeld_files/null.css" title="default"><link type="text/css" rel="stylesheet" href="Regarding%20'Inferring%20and%20hijacking%20VPN-tunneled%20TCP%20connections'%20-%20Jason%20A.%20Donenfeld_files/216light.css" media="screen,(prefers-color-scheme:light)" title="216light"><link type="text/css" rel="stylesheet" href="Regarding%20'Inferring%20and%20hijacking%20VPN-tunneled%20TCP%20connections'%20-%20Jason%20A.%20Donenfeld_files/216dark.css" media="screen,(prefers-color-scheme:dark)" title="216dark"></head><body data-new-gr-c-s-check-loaded="8.869.0" data-gr-ext-installed=""><form action="../"><pre><b>WireGuard Archive on lore.kernel.org</b>
  3. <input name="q" type="text"><input type="submit" value="search"> <a href="https://lore.kernel.org/wireguard/_/text/help">help</a> / <a href="https://lore.kernel.org/wireguard/_/text/color">color</a> / <a href="https://lore.kernel.org/wireguard/new.atom">Atom feed</a></pre></form><pre id="b">From: "Jason A. Donenfeld" &lt;Jason@zx2c4.com&gt;
  4. To: WireGuard mailing list &lt;wireguard@lists.zx2c4.com&gt;
  5. Subject: <a href="#r" id="t">Regarding "Inferring and hijacking VPN-tunneled TCP connections"</a>
  6. Date: Thu, 5 Dec 2019 20:13:18 +0100
  7. Message-ID: &lt;20191205191318.GA44156@zx2c4.com&gt; (<a href="https://lore.kernel.org/wireguard/20191205191318.GA44156@zx2c4.com/raw">raw</a>)
  9. Hey folks,
  11. William unembargoed his nice vuln this week: <a href="https://seclists.org/oss-sec/2019/q4/122">https://seclists.org/oss-sec/2019/q4/122</a>
  13. It appears to affect basically most common unix network stacks. This
  14. isn't a WireGuard vulnerability, but rather something in the routing
  15. table code and/or TCP code on affected operating systems. However, it
  16. does affect us, since WireGuard exists on those affected OSes.
  18. Some might chalk it up to just a configuration error, dismissing it as,
  19. "well, if you configure your networking stack poorly, bad things will
  20. happen," but I don't really buy that: the network setups affected by
  21. this vulnerability are pretty much the norm everywhere.
  23. And it turns out that we actually are in the business of properly
  24. configuring people's networking stacks. Specifically, the tools we ship
  25. come with the little bash script, wg-quick(8), which is a popular way of
  26. automating some common tasks. We've started looking at kernel-level
  27. mitigations within the Linux networking stack, but before those are
  28. ready, I thought it would be prudent to put some first-level defenses
  29. into wg-quick(8) itself.
  31. For that reason, since November, wg-quick(8) has added a few iptables(8)
  32. rules. I really dislike having wg-quick(8) grow any sort of dependency
  33. on iptables(8) (and eventually on nftables(8)), but at the moment, I
  34. don't see a viable alternative. Suggestions are welcome. In particular,
  35. we're adding a rule that is something like:
  37. &nbsp; &nbsp; iptables -t raw -I PREROUTING ! -i wg0 -d 10.182.12.8 -m addrtype ! --src-type LOCAL -j DROP
  39. where wg0 is the WireGuard interface and 10.182.12.8 is the local IP of
  40. the interface.
  42. This says to drop all packets that are sent to that IP address that
  43. aren't coming from the WireGuard interface. And it's done very early in
  44. Netfilter, in the "raw" table. The researchers have confirmed that this
  45. mitigates the issue.
  47. Adding iptables(8) into wg-quick(8) has been predictably problematic,
  48. and it'll probably be at least another snapshot until we get things
  49. bug-free on all the different variations of the utility that distros
  50. ship, but we'll get there. In the meantime, I'd certainly appreciate
  51. patches to do the same with nftables(8), as well as some fresh thoughts
  52. on how to accomplish this same thing _without_ the firewall. (In the
  53. process of writing this email, for example, I had an idea regarding
  54. ip-rule(8) that might work out, but I haven't tried yet.) We also have
  55. some non-Linux operating systems to consider.
  58. Feedback welcome.
  60. Regards,
  61. Jason
  62. _______________________________________________
  63. WireGuard mailing list
  64. WireGuard@lists.zx2c4.com
  65. <a href="https://lists.zx2c4.com/mailman/listinfo/wireguard">https://lists.zx2c4.com/mailman/listinfo/wireguard</a>
  66. </pre><hr><pre><a href="https://lore.kernel.org/wireguard/db72ae85-4e68-1745-e11b-0fb81016358e@gmail.com/" rel="next">next</a> <a href="#R">reply</a> <a href="https://lore.kernel.org/wireguard/">index</a>
  68. <b>Thread overview: </b>14+ messages / expand[<a href="https://lore.kernel.org/wireguard/20191205191318.GA44156@zx2c4.com/T/#u">flat</a>|<a href="https://lore.kernel.org/wireguard/20191205191318.GA44156@zx2c4.com/t/#u">nested</a>] <a href="https://lore.kernel.org/wireguard/20191205191318.GA44156@zx2c4.com/t.mbox.gz">mbox.gz</a> <a href="https://lore.kernel.org/wireguard/20191205191318.GA44156@zx2c4.com/t.atom">Atom feed</a> <a href="#b">top</a>
  69. <b>2019-12-05 19:13 <a id="r" href="#t">Jason A. Donenfeld [this message]</a></b>
  70. 2019-12-05 19:50 ` <a href="https://lore.kernel.org/wireguard/db72ae85-4e68-1745-e11b-0fb81016358e@gmail.com/">Vasili Pupkin</a>
  71. 2019-12-05 20:24 ` <a href="https://lore.kernel.org/wireguard/CAHmME9osDRPQvfYMexRcAhHdAb-x2PjD8Wnf+nrcHyX42ivmqA@mail.gmail.com/">Jason A. Donenfeld</a>
  72. 2019-12-05 21:28 ` <a href="https://lore.kernel.org/wireguard/fdc450ad-f382-87d7-4c63-c31d595295df@gmail.com/">Vasili Pupkin</a>
  73. 2019-12-06 15:18 ` <a href="https://lore.kernel.org/wireguard/CAHmME9pTt2MPH3gxks8S=3hVKS6P2XFkJd5eT7uivsoK7QPMJg@mail.gmail.com/">Jason A. Donenfeld</a>
  74. 2019-12-06 17:21 ` <a href="https://lore.kernel.org/wireguard/6e0b3973-7874-275f-a9ec-cb7bf684cc7b@gmail.com/">Vasili Pupkin</a>
  75. 2019-12-07 20:51 ` <a href="https://lore.kernel.org/wireguard/EA649C00-DEF2-464F-A5DF-9A81FA6FB5C4@lonnie.abelbeck.com/">Lonnie Abelbeck</a>
  76. 2019-12-06 12:58 ` <a href="https://lore.kernel.org/wireguard/4e3e406b9511495b10964975b848cd686fa05719.camel@breakpointingbad.com/">William J. Tolley</a>
  77. 2019-12-06 15:06 ` <a href="https://lore.kernel.org/wireguard/51usC7EJy_alaYnTOuLCvYhTzzcKrvAfq01j0Vfu5QVd6OGARQLdDDqQymloKWhWqkp81E09bpwjSRw5mnJDwg5fv8FuAVS-W0CYLuJlpRI=@protonmail.ch/">Jordan Glover</a>
  78. 2019-12-06 15:08 ` <a href="https://lore.kernel.org/wireguard/CAHmME9qUWRO76NJrnO5iNoWuauvMT3kf+qM1bY49bVkcBFXY9g@mail.gmail.com/">Jason A. Donenfeld</a>
  79. 2019-12-06 16:03 ` <a href="https://lore.kernel.org/wireguard/1bcf459c-4c08-33b2-19da-31cb62fd56a1@gmail.com/">Vasili Pupkin</a>
  80. 2019-12-06 16:12 ` <a href="https://lore.kernel.org/wireguard/sZXjoRuWmvBHjZtlb28qeohg4R8BAHjCk5b-I2TWb5-ew1OZJBGYefxuSzTjFP7e5lESacVJMtp4fKIl7wyXJCI1iIznqnStW6OxG-P9YeQ=@protonmail.ch/">Jordan Glover</a>
  81. 2019-12-06 17:06 ` <a href="https://lore.kernel.org/wireguard/860fe8c7-de2a-57c7-e69a-7ae9cbf263ae@gmail.com/">Vasili Pupkin</a>
  82. 2019-12-05 20:10 ` <a href="https://lore.kernel.org/wireguard/eb8ebc51-aed6-fb83-9069-f699d430c4e5@trustiosity.com/">zrm</a>
  83. </pre><hr><pre id="R"><b>Reply instructions:</b>
  85. You may reply publicly to <a href="#t">this message</a> via plain-text email
  86. using any one of the following methods:
  88. * Save the following mbox file, import it into your mail client,
  89. and reply-to-all from there: <a href="https://lore.kernel.org/wireguard/20191205191318.GA44156@zx2c4.com/raw">mbox</a>
  91. Avoid top-posting and favor interleaved quoting:
  92. <a href="https://en.wikipedia.org/wiki/Posting_style#Interleaved_style">https://en.wikipedia.org/wiki/Posting_style#Interleaved_style</a>
  94. * Reply using the <b>--to</b>, <b>--cc</b>, and <b>--in-reply-to</b>
  95. switches of git-send-email(1):
  97. git send-email \
  98. --in-reply-to=20191205191318.GA44156@zx2c4.com \
  99. --to=jason@zx2c4.com \
  100. --cc=wireguard@lists.zx2c4.com \
  101. /path/to/YOUR_REPLY
  103. <a href="https://kernel.org/pub/software/scm/git/docs/git-send-email.html">https://kernel.org/pub/software/scm/git/docs/git-send-email.html</a>
  105. * If your mail client supports setting the <b>In-Reply-To</b> header
  106. via mailto: links, try the <a href="mailto:jason%40zx2c4.com?In-Reply-To=%3C20191205191318.GA44156@zx2c4.com%3E&amp;Cc=wireguard%40lists.zx2c4.com&amp;Subject=Re%3A%20Regarding%20%22Inferring%20and%20hijacking%20VPN-tunneled%20TCP%20connections%22">mailto: link</a>
  107. </pre>
  108. <hr><pre>WireGuard Archive on lore.kernel.org
  110. Archives are clonable:
  111. git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git
  113. # If you have public-inbox 1.1+ installed, you may
  114. # initialize and index your mirror using the following commands:
  115. public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
  116. wireguard@lists.zx2c4.com
  117. public-inbox-index wireguard
  119. Example <a href="https://lore.kernel.org/wireguard/_/text/config/raw">config snippet</a> for mirrors
  121. Newsgroup available over NNTP:
  122. <a href="nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard">nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard</a>
  125. AGPL code for this site: git clone <a href="https://public-inbox.org/public-inbox.git">https://public-inbox.org/public-inbox.git</a></pre></body></html>