Check Point Response to CVE-2019-14899 (Inferring and hijacking VPN-tunneled TCP connections)

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk164019
Technical Level
Severity	Info
Product	IPSec VPN, Endpoint Security VPN, Endpoint Security Client, SandBlast Mobile / Mobile Threat Prevention, Check Point Capsule VPN, Check Point Capsule Connect
Version	All
OS	Android, Mac, iOS
Date Created	12-Dec-2019
Last Modified	15-Dec-2019

Symptoms

On December 4, 2019, a researcher reported a vulnerability in Unix-based operating systems through which some information about VPN connections can be discovered by a rogue access point or, perhaps, by someone in the same network as the remote access user. This information includes the Office Mode IP Address of the VPN client and the IP address to which the user is connected. In some cases, the attacker can disrupt the TCP connection. For more information see: https://seclists.org/oss-sec/2019/q4/122

Cause

The incoming packets to the Office Mode address are handled first by the operating system's TCP stack. When a SYN-ACK packet enters a non-existing connection, the operating system will reply with a RST: this allows the attacker to determine the IP address.

In the same manner, the attacker can guess the external IP addresses to which the user is connected, and from there guess the TCP sequence number and try to interfere with the connection.

Important notes:

Since the traffic is encrypted over our VPN tunnel, no data can be seen or changed by the attacker.
Since most of the outgoing traffic nowadays is over SSL (inside the VPN tunnel), the SSL stack will ignore the packets sent by the attacker and the TCP sequence will not be disrupted, either.

Solution

The Check Point Firewall Blade on Endpoint Client for Mac can be used to block the incoming connections to the Office Mode IP address, which will end the attack in stage 1.

The Gaia operating system, our site-to-site IPsec VPN, and Capsule Workspace are not affected by this vulnerability.

The solution for this issue needs to come from the operating system maintainers as the bug is in their code. It is always recommended to update your operating system with the latest updates.

Applies To:

Remote Access VPN clients
SandBlast Mobile Protect

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating