Stop CVE-2019-14899 by dropping packets to tunnel IP

Stops an attacker on the same network from discovering the tunnel IP of the device running this app
mullvad · Dec 6, 2019 · ef58862 · ef58862
1 parent b94cdac
commit ef58862
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -26,6 +26,11 @@ Line wrap the file at 100 chars.                                              Th
 ### Fixed
 - Fix improved WireGuard port selection
 
+### Security
+#### Linux
+- Stop [CVE-2019-14899](https://seclists.org/oss-sec/2019/q4/122) by dropping all packets destined
+  for the tunnel IP coming in on some other interface than the tunnel.
+
 
 ## [2019.10-beta2] - 2019-12-05
 ### Added

diff --git a/talpid-core/src/firewall/linux.rs b/talpid-core/src/firewall/linux.rs
@@ -362,6 +362,9 @@ impl<'a> PolicyBatch<'a> {
                 self.add_dns_rule(tunnel, TransportProtocol::Udp)?;
                 self.add_dns_rule(tunnel, TransportProtocol::Tcp)?;
                 self.add_allow_tunnel_rules(tunnel)?;
+                if *allow_lan {
+                    self.add_block_cve_2019_14899(tunnel);
+                }
                 *allow_lan
             }
             FirewallPolicy::Blocked { allow_lan } => *allow_lan,
@@ -470,6 +473,20 @@ impl<'a> PolicyBatch<'a> {
         Ok(())
     }
 
+    /// Adds rules for stopping [CVE-2019-14899](https://seclists.org/oss-sec/2019/q4/122).
+    /// An attacker on the same local network as the VPN connected device could figure out
+    /// the tunnel IP the device used if the device was set to not filter reverse path (rp_filter.)
+    /// These rules stops all packets coming in to the tunnel IP. As such, these rules must come
+    /// after the rule allowing the tunnel, otherwise even the tunnel can't talk to that IP.
+    fn add_block_cve_2019_14899(&mut self, tunnel: &tunnel::TunnelMetadata) {
+        for tunnel_ip in &tunnel.ips {
+            let mut rule = Rule::new(&self.in_chain);
+            check_ip(&mut rule, End::Dst, *tunnel_ip);
+            add_verdict(&mut rule, &Verdict::Drop);
+            self.batch.add(&rule, nftnl::MsgType::Add);
+        }
+    }
+
     fn add_allow_lan_rules(&mut self) {
         // LAN -> LAN
         for net in &*super::ALLOWED_LAN_NETS {