diff options
| author | Linus Färnstrand <linus@mullvad.net> | 2019-12-06 14:13:36 +0100 |
|---|---|---|
| committer | Linus Färnstrand <linus@mullvad.net> | 2019-12-06 15:30:13 +0100 |
| commit | ef5886281dd84b450ae25a9ffca036cffd16abd1 (patch) | |
| tree | 9cedbaaf0f43222475d2570de1cbcd8d3379ce4a | |
| parent | b94cdac690cbb51cbee07d5bd2f011e80a7f2ef0 (diff) | |
| download | mullvadvpn-ef5886281dd84b450ae25a9ffca036cffd16abd1.tar.xz mullvadvpn-ef5886281dd84b450ae25a9ffca036cffd16abd1.zip | |
Stop CVE-2019-14899 by dropping packets to tunnel IP
Stops an attacker on the same network from discovering the tunnel IP of
the device running this app
| -rw-r--r-- | CHANGELOG.md | 5 | ||||
| -rw-r--r-- | talpid-core/src/firewall/linux.rs | 17 |
2 files changed, 22 insertions, 0 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index bd0ce98f83..bf615a4d24 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -26,6 +26,11 @@ Line wrap the file at 100 chars. Th ### Fixed - Fix improved WireGuard port selection +### Security +#### Linux +- Stop [CVE-2019-14899](https://seclists.org/oss-sec/2019/q4/122) by dropping all packets destined + for the tunnel IP coming in on some other interface than the tunnel. + ## [2019.10-beta2] - 2019-12-05 ### Added diff --git a/talpid-core/src/firewall/linux.rs b/talpid-core/src/firewall/linux.rs index f33750bfc4..e2f6f4f736 100644 --- a/talpid-core/src/firewall/linux.rs +++ b/talpid-core/src/firewall/linux.rs @@ -362,6 +362,9 @@ impl<'a> PolicyBatch<'a> { self.add_dns_rule(tunnel, TransportProtocol::Udp)?; self.add_dns_rule(tunnel, TransportProtocol::Tcp)?; self.add_allow_tunnel_rules(tunnel)?; + if *allow_lan { + self.add_block_cve_2019_14899(tunnel); + } *allow_lan } FirewallPolicy::Blocked { allow_lan } => *allow_lan, @@ -470,6 +473,20 @@ impl<'a> PolicyBatch<'a> { Ok(()) } + /// Adds rules for stopping [CVE-2019-14899](https://seclists.org/oss-sec/2019/q4/122). + /// An attacker on the same local network as the VPN connected device could figure out + /// the tunnel IP the device used if the device was set to not filter reverse path (rp_filter.) + /// These rules stops all packets coming in to the tunnel IP. As such, these rules must come + /// after the rule allowing the tunnel, otherwise even the tunnel can't talk to that IP. + fn add_block_cve_2019_14899(&mut self, tunnel: &tunnel::TunnelMetadata) { + for tunnel_ip in &tunnel.ips { + let mut rule = Rule::new(&self.in_chain); + check_ip(&mut rule, End::Dst, *tunnel_ip); + add_verdict(&mut rule, &Verdict::Drop); + self.batch.add(&rule, nftnl::MsgType::Add); + } + } + fn add_allow_lan_rules(&mut self) { // LAN -> LAN for net in &*super::ALLOWED_LAN_NETS { |