Check Point Response to CVE-2019-14899 (Inferring and hijacking VPN-tunneled TCP connections)
||IPSec VPN, Endpoint Security VPN, Endpoint Security Client, SandBlast Mobile / Mobile Threat Prevention, Check Point Capsule VPN, Check Point Capsule Connect
||Android, Mac, iOS
- On December 4, 2019, a researcher reported a vulnerability in Unix-based operating systems through which some information about VPN connections can be discovered by a rogue access point or, perhaps, by someone in the same network as the remote access user. This information includes the Office Mode IP Address of the VPN client and the IP address to which the user is connected. In some cases, the attacker can disrupt the TCP connection.
For more information see: https://seclists.org/oss-sec/2019/q4/122
The incoming packets to the Office Mode address are handled first by the operating system's TCP stack. When a SYN-ACK packet enters a non-existing connection, the operating system will reply with a RST: this allows the attacker to determine the IP address.
In the same manner, the attacker can guess the external IP addresses to which the user is connected, and from there guess the TCP sequence number and try to interfere with the connection.
- Since the traffic is encrypted over our VPN tunnel, no data can be seen or changed by the attacker.
- Since most of the outgoing traffic nowadays is over SSL (inside the VPN tunnel), the SSL stack will ignore the packets sent by the attacker and the TCP sequence will not be disrupted, either.
The Check Point Firewall Blade on Endpoint Client for Mac can be used to block the incoming connections to the Office Mode IP address, which will end the attack in stage 1.
The Gaia operating system, our site-to-site IPsec VPN, and Capsule Workspace are not affected by this vulnerability.
The solution for this issue needs to come from the operating system maintainers as the bug is in their code. It is always recommended to update your operating system with the latest updates.
- Remote Access VPN clients
- SandBlast Mobile Protect