
CVE-2019-14899 - Inferring and hijacking VPN-tunneled TCP connections - tinix
https://seclists.org/oss-sec/2019/q4/122
======
colmmacc
Disclaimer: I work at AWS, on Amazon Linux and our VPN products; those aren't
impacted by this issue.

The attack that the researchers describe is very impressive, and using traffic
analysis and error messages to find the details of an open TCP connection is
extremely clever.

Unfortunately a similar approach can be used even more practically to target
DNS on the VPN:

[https://www.openwall.com/lists/oss-
security/2019/12/05/3](https://www.openwall.com/lists/oss-
security/2019/12/05/3)

Encrypted DNS queries and replies can be profiled by traffic analysis, and the
reply "paused", making it easier to ensure that a DNS spoofing attempt will
succeed. This is a good reminder that cryptographic protections are best done
end to end; DNSSEC does not help with this attack, because it does not protect
traffic between the stub resolver and the resolver. It's also a good reminder
that traffic analysis is still the most effective threat against network
encryption.

------
jwilk
Looks like
[https://news.ycombinator.com/item?id=21712280](https://news.ycombinator.com/item?id=21712280)
got more traction.

~~~
tinix
Indeed. I posted it too soon! haha

------
greatgib
Shitty systemd breaking your computer again...

