CVE-2019-14899
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A vulnerability was discovered in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android that allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream. This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel.
Se detectó una vulnerabilidad en Linux, FreeBSD, OpenBSD, MacOS, iOS y Android, que permite a un punto de acceso malicioso, o un usuario adyacente, determinar si un usuario conectado está utilizando una VPN, hacer inferencias positivas sobre los sitios web que está visitando, y determinar la secuencia correcta y los números de reconocimiento en uso, permitiendo al actor malo inyectar datos en la secuencia TCP. Esto proporciona todo lo necesario para que un atacante secuestre conexiones activas dentro del túnel VPN.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-08-10 CVE Reserved
- 2019-12-11 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-300: Channel Accessible by Non-Endpoint
CAPEC
References (15)
| URL | Tag | Source |
|---|---|---|
| http://seclists.org/fulldisclosure/2020/Dec/32 | Mailing List |
|
| http://seclists.org/fulldisclosure/2020/Jul/23 | Mailing List |
|
| http://seclists.org/fulldisclosure/2020/Jul/24 | Mailing List |
|
| http://seclists.org/fulldisclosure/2020/Jul/25 | Mailing List |
|
| http://seclists.org/fulldisclosure/2020/Nov/20 | Mailing List |
|
| http://www.openwall.com/lists/oss-security/2020/08/13/2 | Mailing List |
|
| http://www.openwall.com/lists/oss-security/2020/10/07/3 | Mailing List |
|
| http://www.openwall.com/lists/oss-security/2021/07/05/1 | Mailing List |
|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14899 | Issue Tracking | |
| https://openvpn.net/security-advisory/no-flaws-found-in-openvpn-software | Third Party Advisory | |
| https://support.apple.com/kb/HT211288 | Third Party Advisory |
|
| https://support.apple.com/kb/HT211289 | Third Party Advisory |
|
| https://support.apple.com/kb/HT211290 | Third Party Advisory |
|
| https://support.apple.com/kb/HT211850 | Third Party Advisory |
|
| https://support.apple.com/kb/HT211931 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Freebsd Search vendor "Freebsd" | Freebsd Search vendor "Freebsd" for product "Freebsd" | - | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | - | - |
Affected
| ||||||
| Openbsd Search vendor "Openbsd" | Openbsd Search vendor "Openbsd" for product "Openbsd" | - | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Ipados Search vendor "Apple" for product "Ipados" | < 13.6 Search vendor "Apple" for product "Ipados" and version " < 13.6" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Iphone Os Search vendor "Apple" for product "Iphone Os" | < 13.6 Search vendor "Apple" for product "Iphone Os" and version " < 13.6" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Mac Os X Search vendor "Apple" for product "Mac Os X" | < 10.15.6 Search vendor "Apple" for product "Mac Os X" and version " < 10.15.6" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Macos Search vendor "Apple" for product "Macos" | 11.0 Search vendor "Apple" for product "Macos" and version "11.0" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Tvos Search vendor "Apple" for product "Tvos" | < 13.4.8 Search vendor "Apple" for product "Tvos" and version " < 13.4.8" | - |
Affected
| ||||||