How CVE‑2019‑14899 Lets Attackers Hijack VPN Connections on Unix‑Like Systems

Vulnerability Overview

Security researchers disclosed CVE‑2019‑14899, a vulnerability that allows an attacker on the same local network to hijack VPN connections on affected Unix‑like systems and inject arbitrary payloads into IPv4 and IPv6 TCP streams.

Affected Platforms

The issue impacts most Linux distributions that use systemd (and other init systems) as well as BSD variants, macOS, iOS and Android. Known vulnerable releases include:

Ubuntu 19.10 (systemd)

Fedora (systemd)

Debian 10.2 (systemd)

Arch 2019.05 (systemd)

Manjaro 18.1.1 (systemd)

Devuan (sysV init)

MX Linux 19 (Mepis+antiX)

Void Linux (runit)

Slackware 14.2 (rc.d)

Deepin (rc.d)

FreeBSD (rc.d)

OpenBSD (rc.d)

Technical Details

The attack relies on the kernel reverse‑path filter (rp_filter) being set to loose (value 2). Systemd’s default sysctl.d/50-default.conf changed this setting from strict (value 1) to loose on 28 Nov 2018. Distributions that ship a systemd version with this change and do not override the setting become vulnerable. Other init systems that retain the kernel default (0) are also affected because the kernel default permits the attack.

By observing packet sizes and timing, an attacker can infer the virtual IP address assigned by the VPN server, enumerate active connections, and calculate exact TCP sequence and acknowledgment numbers despite encryption. This enables injection of data into the TCP stream and full session hijacking.

Targeted VPN Technologies

The vulnerability works against route‑based VPN implementations, including OpenVPN, WireGuard, and IKEv2/IPSec. Testing against Tor is ongoing. The attack is independent of the specific VPN protocol because it exploits observable traffic characteristics rather than payload contents.

Mitigation

Possible mitigations are:

Enable strict reverse‑path filtering ( net.ipv4.conf.*.rp_filter=1).

Apply bogon filtering to drop spoofed source addresses.

Use traffic‑analysis tools to detect anomalous packet‑size patterns.

Exploitation Steps

Identify the VPN client’s virtual IP address on the local network.

Infer which external sites the client is communicating with by correlating traffic to that virtual IP.

Send crafted packets and use encrypted responses to deduce the TCP sequence and acknowledgment numbers, then inject data to hijack the session.

References

A public report detailing reproducible steps on Linux distributions is available from the researchers. The team plans to publish a full academic paper after a proper fix is released.