Stop CVE-2019-14899 by dropping packets to tunnel IP

Stops an attacker on the same network from discovering the tunnel IP of
the device running this app

1 files changed, 17 insertions, 0 deletions

diff --git a/talpid-core/src/firewall/linux.rs b/talpid-core/src/firewall/linux.rs
index f33750bfc4..e2f6f4f736 100644
--- a/talpid-core/src/firewall/linux.rs
+++ b/talpid-core/src/firewall/linux.rs
@@ -362,6 +362,9 @@ impl<'a> PolicyBatch<'a> {
                 self.add_dns_rule(tunnel, TransportProtocol::Udp)?;
                 self.add_dns_rule(tunnel, TransportProtocol::Tcp)?;
                 self.add_allow_tunnel_rules(tunnel)?;
+                if *allow_lan {
+                    self.add_block_cve_2019_14899(tunnel);
+                }
                 *allow_lan
             }
             FirewallPolicy::Blocked { allow_lan } => *allow_lan,
@@ -470,6 +473,20 @@ impl<'a> PolicyBatch<'a> {
         Ok(())
     }
 
+    /// Adds rules for stopping [CVE-2019-14899](https://seclists.org/oss-sec/2019/q4/122).
+    /// An attacker on the same local network as the VPN connected device could figure out
+    /// the tunnel IP the device used if the device was set to not filter reverse path (rp_filter.)
+    /// These rules stops all packets coming in to the tunnel IP. As such, these rules must come
+    /// after the rule allowing the tunnel, otherwise even the tunnel can't talk to that IP.
+    fn add_block_cve_2019_14899(&mut self, tunnel: &tunnel::TunnelMetadata) {
+        for tunnel_ip in &tunnel.ips {
+            let mut rule = Rule::new(&self.in_chain);
+            check_ip(&mut rule, End::Dst, *tunnel_ip);
+            add_verdict(&mut rule, &Verdict::Drop);
+            self.batch.add(&rule, nftnl::MsgType::Add);
+        }
+    }
+
     fn add_allow_lan_rules(&mut self) {
         // LAN -> LAN
         for net in &*super::ALLOWED_LAN_NETS {