I’ve been using OpenVPN and SSH tunnels for a multitude of scenarios over the years and recently I’ve been earning a lot of buzz around the simplicity and security of WireGuard. Now I’ve found some troubling information about CVE-2019-14899:
An attacker that controls your L2 link (i.e., your WiFi or LAN) can send specially crafted packets to your device. The attacker can then use those packets to actively probe for certain properties of the TCP connections originating from your device. In other words, by controlling a device’s access point to the Internet, an attacker can infer if the user is connected to a specific host and port.
Additionally, if a TCP connection is unencrypted inside the VPN tunnel (if you visit a page that uses HTTP instead of HTTPS, for instance), the attacker can inject packets into that specific unencrypted stream. This would allow an attacker to feed your device fake HTML content for that particular stream. That would be dangerous, but as previously stated, the attacker must target a specific TCP connection, so it is not a simple vulnerability to exploit.
- Is this information technically correct?
- Some sources on the web also state that anyone controlling the WAN of the server will also be able to take advantage of this flaw. Is it true? Can the server’s ISP exploit this?
Assuming the information is correct:
- Why does it matter if the "TCP connection is unencrypted inside the VPN tunnel"? In theory one uses a VPN exactly to go around this issue – to make sure nobody can see the contents of the communication between two machines;
- If anyone controlling the client’s LAN can inject packages, how is this even considered a secure protocol? From my understating authenticity validation is a must in scenarios like this. The server should be able to check the authenticity of new data instead of blindingly accepting it… Isn’t there some kind of key exchange for this?
- According to Wireguard’s website "mimics the model of SSH and Mosh; both parties have each other’s public keys, and then they’re simply able to begin exchanging packets through the interface." How is a 3rd party (that doesn’t have the right keys) able impersonate the client, send data and then how the server decrypts it using the client’s real key without errors?
It look to me like the information about the CVE isn’t correct OR WireGuard was so badly designed that it can’t even use a proper key exchange to secure a communication channel.
Thank you in advance.