Statement from ProtonVPN regarding CVE-2019-14899

On Dec. 4, security researchers at the IT security site SecLists announced a security flaw known as CVE-2019-14899 that affects all VPNs that use the OpenVPN protocol and most VPNs that use the IKEv2/IPSec protocol In narrow circumstances. This vulnerability cannot be used for mass surveillance. It allows attackers to actively probe (or “guess”) what IP and port a TCP connection is connected to. CVE-2019-14899 could represent a problem for users when they are specifically targeted by an attacker who controls the WiFi or LAN they are connected to, but the high difficulty of executing this attack versus the rather minimal access an attacker receives means this attack is unlikely to be deployed against the average VPN user.

Unfortunately, there is relatively little that VPN services can do themselves to patch the issue because it affects VPN connections by exploiting the operating system. While developers of Android, iOS, and macOS software work to resolve the problem, we are also taking steps to mitigate risks to our users, and we will be implementing a fix to our Linux client. This article describes those steps and explains more about the vulnerability.

What is CVE-2019-14899?

CVE-2019-14899 is not a flaw in any specific VPN service or VPN protocol. Rather, it is a clever exploit of the “weak host model” (for interested readers, here is a good explanation of weak host models), adopted by macOS, iOS, Android, and certain versions of Linux.

The vulnerability is inherent to the default IP routing strategies and policies that are used by route-based protocols (like OpenVPN). Android, iOS, and macOS only allow VPNs that use route-based protocols, so any VPN app on Android, iOS, and macOS is vulnerable. 

The situation is slightly different on Linux, where OpenVPN is a route-based protocol while StrongSwan and IKEv2/IPSec act as policy-based protocols (and thus not affected). The ProtonVPN Linux client uses OpenVPN and is therefore currently vulnerable, though we have identified a fix and are working to implement it. 

Windows apps, including the ProtonVPN Windows app, are not affected.

Learn more about VPN protocols.

Impact of CVE-2019-14899

Contrary to the sensational reporting online, this vulnerability does not permit data packet inspection or large-scale monitoring of user activity. Instead, it allows an attacker to probe a specific, known TCP connection and “guess” if it is connected to a specific destination IP and port. If the attacker guesses the correct IP and port, they will confirm the connection exists. If the connection is unencrypted, the attacker could then inject data into it.

Provided there is no reverse path filtering, an attacker that controls your L2 link (i.e., your WiFi or LAN) can send specially crafted packets to your device. The attacker can then use those packets to actively probe for certain properties of the TCP connections originating from your device. In other words, by controlling a device’s access point to the Internet, an attacker can infer if the user is connected to a specific host and port.

Additionally, if a TCP connection is unencrypted inside the VPN tunnel (if you visit a page that uses HTTP instead of HTTPS, for instance), the attacker can inject packets into that specific unencrypted stream. This would allow an attacker to feed your device fake HTML content for that particular stream. That would be dangerous, but as previously stated, the attacker must target a specific TCP connection, so it is not a simple vulnerability to exploit.

Possible solutions

Linux

To mitigate CVE-2019-14899, Linux clients have two possible solutions:

• Enable strict reverse path filtering: sysctl net.ipv4.conf.all.rp_filter=1
• Employ IPTables: iptables -t raw \! -i tun0 -d 10.0.0.0/8 -j DROP

A general workaround for all operating systems would be to separate the L2 of the machine by using a VM or a non-bridged container. In that situation, the kernel of the machine connected to the network has no knowledge of the VPN interface, and therefore cannot leak any information.

We have decided to implement the IPTables solution for our Linux client. We will publish an update on social media when our Linux client has been updated. 

Android

To resolve this vulnerability on an Android device, you would need either a rooted phone, or Android developers would need to address the security flaw by releasing a fix in its operating system. We will closely monitor the progress on this issue on the Android platform.

iOS and macOS

Similarly, the solution for an iOS device would require either a jail-broken phone or Apple developers to fix this vulnerability in its operating system. There is no satisfactory resolution for macOS, either, until Apple provides an operating system update. However, Apple devices are “multihomed” to increase the level of connectivity between them, and CVE-2019-14899 affects precisely this configuration. It seems unlikely that Apple will decide to change this policy. We will closely monitor the situation on macOS and iOS platforms. 

Should I be concerned by this security flaw?

The answer to this question depends on your threat model. This security flaw does not allow mass surveillance, but it can be exploited to monitor individual users who connect to specific access points or LANs controlled by the attacker. If your threat model makes you concerned about this weakness, we advise you to connect to the VPN servers with our Windows app or use our Linux client after we have implemented a fix. If you need to browse privately on an unknown network using an Android, iOS, or macOS device, connecting to the Tor network would also be a solution. 

Please follow us on Reddit, Twitter, or Mastodon or visit this blog for updates on our progress regarding CVE-2019-14899.

Best Regards,
The ProtonVPN Team

To get a free ProtonMail encrypted email account, visit: protonmail.com