Skip to content

/ mullvadvpn-app

  • Watch

    Notifications

    🔖 Custom notification settings

    Looking for a little more control? Now you can choose which types of activity you’d like to be notified about per repository.

  • Fork

    Fork mullvadvpn-app

    If this dialog fails to load, you can visit the fork page directly.
Permalink
Browse files
Loading status checks…

Stop CVE-2019-14899 by dropping packets to tunnel IP 

Stops an attacker on the same network from discovering the tunnel IP of
the device running this app
@faern
faern committed on Dec 6, 2019
1 parent b94cdac commit ef5886281dd84b450ae25a9ffca036cffd16abd1
Select a reply ctrl .
Unified Split
Showing with 22 additions and 0 deletions.
  1. +5 −0 CHANGELOG.md
  2. +17 −0 talpid-core/src/firewall/linux.rs
5 CHANGELOG.md
View file
@@ -26,6 +26,11 @@ Line wrap the file at 100 chars. Th
### Fixed
- Fix improved WireGuard port selection

### Security
#### Linux
- Stop [CVE-2019-14899](https://seclists.org/oss-sec/2019/q4/122) by dropping all packets destined
for the tunnel IP coming in on some other interface than the tunnel.


## [2019.10-beta2] - 2019-12-05
### Added
17 talpid-core/src/firewall/linux.rs
View file
@@ -362,6 +362,9 @@ impl<'a> PolicyBatch<'a> {
self.add_dns_rule(tunnel, TransportProtocol::Udp)?;
self.add_dns_rule(tunnel, TransportProtocol::Tcp)?;
self.add_allow_tunnel_rules(tunnel)?;
if *allow_lan {
self.add_block_cve_2019_14899(tunnel);
}
*allow_lan
}
FirewallPolicy::Blocked { allow_lan } => *allow_lan,
@@ -470,6 +473,20 @@ impl<'a> PolicyBatch<'a> {
Ok(())
}

/// Adds rules for stopping [CVE-2019-14899](https://seclists.org/oss-sec/2019/q4/122).
/// An attacker on the same local network as the VPN connected device could figure out
/// the tunnel IP the device used if the device was set to not filter reverse path (rp_filter.)
/// These rules stops all packets coming in to the tunnel IP. As such, these rules must come
/// after the rule allowing the tunnel, otherwise even the tunnel can't talk to that IP.
fn add_block_cve_2019_14899(&mut self, tunnel: &tunnel::TunnelMetadata) {
for tunnel_ip in &tunnel.ips {
let mut rule = Rule::new(&self.in_chain);
check_ip(&mut rule, End::Dst, *tunnel_ip);
add_verdict(&mut rule, &Verdict::Drop);
self.batch.add(&rule, nftnl::MsgType::Add);
}
}

fn add_allow_lan_rules(&mut self) {
// LAN -> LAN
for net in &*super::ALLOWED_LAN_NETS {

0 comments on commit ef58862

@wtolley
Select a reply ctrl .

You’re not receiving notifications from this thread.