08.12.2019 16:25, Miroslav Lachman wrote: > https://www.bleepingcomputer.com/news/security/new-linux-vulnerability-lets-attackers-hijack-vpn-connections/ > > Security researchers found a new vulnerability allowing potential attackers > to hijack VPN connections on affected *NIX devices and inject arbitrary data > payloads into IPv4 and IPv6 TCP streams. > > They disclosed the security flaw tracked as CVE-2019-14899 to distros and the > Linux kernel security team, as well as to others impacted such as Systemd, > Google, Apple, OpenVPN, and WireGuard. > > The vulnerability is known to impact most Linux distributions and Unix-like > operating systems including FreeBSD, OpenBSD, macOS, iOS, and Android. > > Attacks exploiting CVE-2019-14899 work against OpenVPN, WireGuard, and > IKEv2/IPSec, but the researchers are still testing their feasibility against > Tor. > > https://seclists.org/oss-sec/2019/q4/122
Why do these "researchers" call it "new"? There is nothing new in lack of standard anti-spoofing filtering for network interfaces of any kind, be it tunnels or not. Our /etc/rc.firewall has "Stop spoofing" configuration by phk@ since first revision committed in 1996. Our gif(4) interface has built-in anti-spoofing feature enabled by default, too. _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
