summaryrefslogtreecommitdiffhomepage
path: root/talpid-core/src
diff options
context:
space:
mode:
Diffstat (limited to 'talpid-core/src')
-rw-r--r--talpid-core/src/firewall/linux.rs17
1 files changed, 17 insertions, 0 deletions
diff --git a/talpid-core/src/firewall/linux.rs b/talpid-core/src/firewall/linux.rs
index f33750bfc4..e2f6f4f736 100644
--- a/talpid-core/src/firewall/linux.rs
+++ b/talpid-core/src/firewall/linux.rs
@@ -362,6 +362,9 @@ impl<'a> PolicyBatch<'a> {
self.add_dns_rule(tunnel, TransportProtocol::Udp)?;
self.add_dns_rule(tunnel, TransportProtocol::Tcp)?;
self.add_allow_tunnel_rules(tunnel)?;
+ if *allow_lan {
+ self.add_block_cve_2019_14899(tunnel);
+ }
*allow_lan
}
FirewallPolicy::Blocked { allow_lan } => *allow_lan,
@@ -470,6 +473,20 @@ impl<'a> PolicyBatch<'a> {
Ok(())
}
+ /// Adds rules for stopping [CVE-2019-14899](https://seclists.org/oss-sec/2019/q4/122).
+ /// An attacker on the same local network as the VPN connected device could figure out
+ /// the tunnel IP the device used if the device was set to not filter reverse path (rp_filter.)
+ /// These rules stops all packets coming in to the tunnel IP. As such, these rules must come
+ /// after the rule allowing the tunnel, otherwise even the tunnel can't talk to that IP.
+ fn add_block_cve_2019_14899(&mut self, tunnel: &tunnel::TunnelMetadata) {
+ for tunnel_ip in &tunnel.ips {
+ let mut rule = Rule::new(&self.in_chain);
+ check_ip(&mut rule, End::Dst, *tunnel_ip);
+ add_verdict(&mut rule, &Verdict::Drop);
+ self.batch.add(&rule, nftnl::MsgType::Add);
+ }
+ }
+
fn add_allow_lan_rules(&mut self) {
// LAN -> LAN
for net in &*super::ALLOWED_LAN_NETS {