The Breakpointing Bad team at the University of New Mexico recently reported a VPN vulnerability that affects Linux, MacOS, iOS, Android, and more. The vulnerability allows malicious actors to not only see your VPN IP address, but also identify sites you are visiting and inject data into connections. The team consists of William J. Tolley, Beau Kujath, and Jedidiah R. Crandall and the public was notified on December 4th, 2019. Designated [CVE-2019-14899], the vulnerability shook the VPN industry due to the breadth of affected systems. [CVE-2019-14899] affects many different types of VPN protocols including OpenVPN, WireGuard, and IKEv2/IPSec.
Private Internet Access has released an update to its Linux client that mitigates [CVE-2019-14899] from being used to infer any information about our users’ VPN connections. To our knowledge, Private Internet Access is the first commercial VPN to release a new client that prevents this ongoing security vulnerability.
Private Internet Access patches for [CVE-2019-14899] VPN vulnerability on Linux
The researchers summarized the vulnerability in their disclosure that was sent to affected parties:
“We have discovered a vulnerability in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android which allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream. This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel.”
Essentially, the vulnerability allows attackers such as your internet service provider or even anyone on your network to inject data into the VPN connection using a three step process.
When the researchers tested the vulnerability on Linux, they found that most Linux distros were vulnerable. The vulnerability also affects IPv6. Confirmed affected systems include the following, though the list is in no way exhaustive:
- Ubuntu 19.10 (systemd)
- Fedora (systemd)
- Debian 10.2 (systemd)
- Arch 2019.05 (systemd)
- Manjaro 18.1.1 (systemd)
- MX Linux 19 (Mepis+antiX)
- Deepin (rc.d)
Users of affected distros that also use Private Internet Access VPN are now better protected against [CVE-2019-14899]. Private Internet Access developers have been working hard for the last week to be the first to market with a production fix for [CVE-2019-14899]. Privacy is our policy and PIA will always look out for its customers’ security and privacy as a priority.
Download the Private Internet Access 1.7 update from our download page: https://www.privateinternetaccess.com/pages/download