Hi,
Is it known to what extent Sophos products are affected by the vulnerability?
https://www.terabitweb.com/2019/12/06/cve-2019-14899-vpn-flaw-html/
This thread was automatically locked due to age.
Hi,
Is it known to what extent Sophos products are affected by the vulnerability?
https://www.terabitweb.com/2019/12/06/cve-2019-14899-vpn-flaw-html/
In the mean time: Naked Security already put some information on this CVE. https://nakedsecurity.sophos.com/2019/12/09/networking-attack-gives-hijackers-vpn-access/
__________________________________________________________________________________________________________________
Hi Folks
I have just been watching the latest 'Security Now!' podcast (first broadcast on Tuesday evening and entitled 'VPN-Geddon Denied') and Steve Gibson's take on this is that it is simply a load of utter nonsense. I wouldn't normally echo someone else's take on technical matters (on this forum) but I've been following the weekly 'Security Now!' podcasts for a decade and I am inclined to trust his opinions matters such as this, and even to my [inexpert] brain, his description of it (err, more like debunking of it) sounds entirely sensible.
Firstly, the hijacking process relies on having a man in the middle (I think the example the claimants sited was by using a WAP) then effectively port scanning the 10.0.8.0/24 address space to find the VPN client's source address, then it relies on either knowing the far end server IP address and spoofing that (or attempt it by spoofing addresses from the entire IPv4 space) then by trying to find the ephemeral port the client's using to communicate with the server, then guessing the packet sequence number to send it a rogue packet, and even after achieving all of that, the key part is that they didn't actually break into the VPN tunnel, so using the term 'hijacking' is rather a stretch of it's understood definition. Steve Gibson's comment was that at best, this entire exercise would mildly irritate (as in busy) a VPN interface, but that's as far as it can go towards causing any trouble.
For anyone interested, you can view the last 30 minutes of the podcast at twit.tv, or download an audio version (or read the text transcription) at grc.com.
Text transcription here: www.grc.com/.../sn-744.txt and then search for the below line to get to the correct place in that text:
Which brings us to VPN-geddon.
So, nothing there to spoil my Sunday beer (which is cooling in the fridge as I type)! :-)
Kind regards,
Briain
Hi,
When I hear a lot of laughter while discussing TCP Stacks and encryption my spidy-sense starts tingling.
The thing that strikes me is his dissing of the hacker community because "they aren't developers".
The thing that sticks out so much is that Gibson stresses so much that the attackers don't have the key and at the same time ridicules the collection of 79 bit encrypted ACK responses. Known text encryption texts with such a small message size and a "large" number of packets seem to be a pretty easy target.
I found among all the laughter pretty good hints of how to identify such a man in the middle attack. Recognizing when you are being sprayed with nonsense packets should be a good hint that the VPN connection should shut down and that you shouldn't trust that particular man in the middle (Access Point).
I just don't have that much confidence that most common VPN Clients are that smart. I also can think of lots of managers and sales guys who will see a wonky connection and just keep on working not recognizing that they are being attacked.
So "no" this probably isn't VPN-Geddon, it probably is a relatively simple and inconvenient fix. Ignoring the problem or trying to calm the nerves of the non-tech managers is probably counter-productive.