Our response to the CVE-2019-14899 vulnerability report
A research team from the University of New Mexico discovered a vulnerability currently being tracked as CVE-2019-14899 which claims that VPN connections can be hijacked on Linux and Unix systems. The report mentioned the OpenVPN protocol. As part of good security principles, we are looking into this and any possible attack vectors, however we have found no flaws in the OpenVPN software.
An initial investigation by our security experts, and experts across the globe, reveals that this issue affects all network interfaces, not VPN in particular.
“It doesn’t appear to be a flaw in the OpenVPN software, but a flaw in the configuration of the operating system itself. The issue is more in how the operating system deals with this type of attack in general, rather than anything going wrong in the VPN connection itself,” says OpenVPN Access Server Product Manager, Johan Draaisma.
To our knowledge, the vulnerability is only impacting Linux and Unix systems and requires that the attacker has control over your Internet access point and can therefore reach and affect your computer outside of the VPN, in the local network, for example. Based on this, the attack is somewhat limited, and there is no straight-forward way to retrieve unencrypted data from the VPN connection.
“The issue may actually be located in the Linux operating system settings rather than in our software, but given the serious nature of the attack, we are paying close attention and will consider whatever steps are appropriate to ensure OpenVPN remains safe to use on these affected platforms. For now enabling the ‘reverse path filter’ setting in the OS is a good first step to help protect against this attack,” says Draaisma.
OpenVPN Inc. is keeping a close eye on the discussions currently ongoing, and possible solutions. Currently there is no evidence suggesting there is a flaw in the OpenVPN software itself.