CVE-2019-14899 hijacking VPN connections

Hi ThorstenSult 

I believe this CVE has been reserved at the moment and more details will be available later. I will check with the internal team and see if there's any information available about this as of now.

In the mean time: Naked Security already put some information on this CVE. https://nakedsecurity.sophos.com/2019/12/09/networking-attack-gives-hijackers-vpn-access/

Hi ThorstenSult 

I have requested development to provide feedback on this CVE number.

This will take about 3-4 weeks to process and should have feedback then.

Thanks!

Hi Community,

We are tracking this under ID NC-53926.

As soon as feedback is received, this post will be updated.

Thanks!

Hi Folks

I have just been watching the latest 'Security Now!' podcast (first broadcast on Tuesday evening and entitled 'VPN-Geddon Denied') and Steve Gibson's take on this is that it is simply a load of utter nonsense. I wouldn't normally echo someone else's take on technical matters (on this forum) but I've been following the weekly 'Security Now!' podcasts for a decade and I am inclined to trust his opinions matters such as this, and even to my [inexpert] brain, his description of it (err, more like debunking of it) sounds entirely sensible.

Firstly, the hijacking process relies on having a man in the middle (I think the example the claimants sited was by using a WAP) then effectively port scanning the 10.0.8.0/24 address space to find the VPN client's source address, then it relies on either knowing the far end server IP address and spoofing that (or attempt it by spoofing addresses from the entire IPv4 space) then by trying to find the ephemeral port the client's using to communicate with the server, then guessing the packet sequence number to send it a rogue packet, and even after achieving all of that, the key part is that they didn't actually break into the VPN tunnel, so using the term 'hijacking' is rather a stretch of it's understood definition. Steve Gibson's comment was that at best, this entire exercise would mildly irritate (as in busy) a VPN interface, but that's as far as it can go towards causing any trouble.

For anyone interested, you can view the last 30 minutes of the podcast at twit.tv, or download an audio version (or read the text transcription) at grc.com.

Text transcription here: www.grc.com/.../sn-744.txt and then search for the below line to get to the correct place in that text:

Which brings us to VPN-geddon.

So, nothing there to spoil my Sunday beer (which is cooling in the fridge as I type)! :-)

Kind regards,

Briain 

Hi,

When I hear a lot of laughter while discussing TCP Stacks and encryption my spidy-sense starts tingling.

The thing that strikes me is his dissing of the hacker community because "they aren't developers".

The thing that sticks out so much is that Gibson stresses so much that the attackers don't have the key and at the same time ridicules the collection of 79 bit encrypted ACK responses. Known text encryption texts with such a small message size and a "large" number of packets seem to be a pretty easy target.

I found among all the laughter pretty good hints of how to identify such a man in the middle attack. Recognizing when you are being sprayed with nonsense packets should be a good hint that the VPN connection should shut down and that you shouldn't trust that particular man in the middle (Access Point).

I just don't have that much confidence that most common VPN Clients are that smart. I also can think of lots of managers and sales guys who will see a wonky connection and just keep on working not recognizing that they are being attacked.

So "no" this probably isn't VPN-Geddon, it probably is a relatively simple and inconvenient fix. Ignoring the problem or trying to calm the nerves of the non-tech managers is probably counter-productive.

Hi ThorstenSult 

I have received feedback from the development team.

They have stated that the XG is not affected by this vulnerability as per analysis of this CVE shows that affects route based VPNs.  As the XGs VPN capabilities are only policy based, this should not affect the XG even if the XG acts as a client in the SSL VPN site-to-site configuration.

There will be a KB article written up to reflect this same information.

Thanks!

Hi Community,

Herewith is the KB article that addresses any concerns surrounding this CVE number.

https://www.sophos.com/kb/134996

Thanks!

Thank you for the feedback and for your effort!