PSIRT Note: CVE-2019-14899 Inferring and hijacking VPN-tunneled TCP connections
Description
An information disclosure vulnerability allows a network adjacent attacker to determine the TCP/IP stack state (including IP address, TCP sequences,etc) of the system via sending spoofed TCP packets to the target when the latter operates under a weak host model.
FortiOS.
FortiOS may be impacted only if 'asymroute' is enabled or if 'strict-src-check'is disabled.
FortiClient.
FortiClient may be impacted if the host system operates under a weak host model.
Scope
FortiOS IPsec VPN.
FortiClient IPsec VPN.
Solution
FortiOS.
Make sure 'asymroute' is disabled in system settings (note that this is the default):
[1] (1. Determining the VPN client's virtual IP address part) attack scenarios.
If 'strict-src-check' is disabled (note that this is the default value), whether or not the system may be vulnerable depends on the unit policy or route settings.
Make sure 'stric-src-check' is enabled:
[1] (1. Determining the VPN client's virtual IP address part) attack scenarios.
For instance.
* When there is no policy allowing TCP packets from 192.168.12.1 to10.8.0.8, the system is not vulnerable.
* When there is a policy allowing TCP packets from 192.168.12.1 to 10.8.0.8:
** When 'asymroute is enabled, which equals to loose mode (RFC 3704 sections2.4), the system is vulnerable.
** When 'strict-src-check' is enabled, which equals to strict mode (RFC 3704 sections 2.2), the system is not vulnerable.
** When 'strict-src-check is disabled, which equals to feasible mode (RFC 3704 sections 2.3), and there is an alternate route from 10.8.0.x to 192.168.12.x, the system may be vulnerable.
FortiClient.
It depends on the host system FortiClient is installed on, not on FortiClient per se.
Related articles:
[1] https://seclists.org/oss-sec/2019/q4/122
[2] https://en.wikipedia.org/wiki/Host_model
An information disclosure vulnerability allows a network adjacent attacker to determine the TCP/IP stack state (including IP address, TCP sequences,etc) of the system via sending spoofed TCP packets to the target when the latter operates under a weak host model.
FortiOS.
FortiOS may be impacted only if 'asymroute' is enabled or if 'strict-src-check'is disabled.
FortiClient.
FortiClient may be impacted if the host system operates under a weak host model.
Scope
FortiOS IPsec VPN.
FortiClient IPsec VPN.
Solution
FortiOS.
Make sure 'asymroute' is disabled in system settings (note that this is the default):
# config vdomIf 'asymroute' is enabled, review the unit policy based on reference.
edit [vdom-name]
# config system settings
set asymroute disable
set asymroute6 disable
end
next
end
[1] (1. Determining the VPN client's virtual IP address part) attack scenarios.
If 'strict-src-check' is disabled (note that this is the default value), whether or not the system may be vulnerable depends on the unit policy or route settings.
Make sure 'stric-src-check' is enabled:
# config vdomIf 'struct-src-check' is disabled, review the unit policy and route settings based on reference.
edit [vdom-name]
#config system settings
set strict-src-check enable
end
next
end
[1] (1. Determining the VPN client's virtual IP address part) attack scenarios.
For instance.
* When there is no policy allowing TCP packets from 192.168.12.1 to10.8.0.8, the system is not vulnerable.
* When there is a policy allowing TCP packets from 192.168.12.1 to 10.8.0.8:
** When 'asymroute is enabled, which equals to loose mode (RFC 3704 sections2.4), the system is vulnerable.
** When 'strict-src-check' is enabled, which equals to strict mode (RFC 3704 sections 2.2), the system is not vulnerable.
** When 'strict-src-check is disabled, which equals to feasible mode (RFC 3704 sections 2.3), and there is an alternate route from 10.8.0.x to 192.168.12.x, the system may be vulnerable.
FortiClient.
It depends on the host system FortiClient is installed on, not on FortiClient per se.
Related articles:
[1] https://seclists.org/oss-sec/2019/q4/122
[2] https://en.wikipedia.org/wiki/Host_model
Related Articles
Technical Note: Details about FortiOS RPF (Reverse Path Forwarding), also called Anti-Spoofing
Technical Note: How the FortiGate behaves when asymmetric routing is enabled