CVE-2019-14899

Sažetak

A vulnerability was discovered in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android that allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream. This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel.

Reference

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14899
https://openvpn.net/security-advisory/no-flaws-found-in-openvpn-software/
https://support.apple.com/kb/HT211290
https://support.apple.com/kb/HT211288
https://support.apple.com/kb/HT211289
http://seclists.org/fulldisclosure/2020/Jul/24
http://seclists.org/fulldisclosure/2020/Jul/23
http://seclists.org/fulldisclosure/2020/Jul/25
http://www.openwall.com/lists/oss-security/2020/08/13/2
http://www.openwall.com/lists/oss-security/2020/10/07/3
https://support.apple.com/kb/HT211931
https://support.apple.com/kb/HT211850
http://seclists.org/fulldisclosure/2020/Nov/20
http://seclists.org/fulldisclosure/2020/Dec/32
http://www.openwall.com/lists/oss-security/2021/07/05/1

CVSS

Base:	4.9
Impact:	6.4
Exploitability:	4.4

Pristup

Vektor	Složenost	Autentikacija
ADJACENT_NETWORK	MEDIUM	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:A/AC:M/Au:S/C:P/I:P/A:P

Zadnje važnije ažuriranje

01-03-2023 - 16:40

Objavljeno

11-12-2019 - 15:15