wireguard.lists.zx2c4.com archive mirror
 help / color / mirror / Atom feed
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Regarding "Inferring and hijacking VPN-tunneled TCP connections"
Date: Thu, 5 Dec 2019 20:13:18 +0100	[thread overview]
Message-ID: <20191205191318.GA44156@zx2c4.com> (raw)

Hey folks,

William unembargoed his nice vuln this week: https://seclists.org/oss-sec/2019/q4/122

It appears to affect basically most common unix network stacks. This
isn't a WireGuard vulnerability, but rather something in the routing
table code and/or TCP code on affected operating systems. However, it
does affect us, since WireGuard exists on those affected OSes.

Some might chalk it up to just a configuration error, dismissing it as,
"well, if you configure your networking stack poorly, bad things will
happen," but I don't really buy that: the network setups affected by
this vulnerability are pretty much the norm everywhere.

And it turns out that we actually are in the business of properly
configuring people's networking stacks. Specifically, the tools we ship
come with the little bash script, wg-quick(8), which is a popular way of
automating some common tasks. We've started looking at kernel-level
mitigations within the Linux networking stack, but before those are
ready, I thought it would be prudent to put some first-level defenses
into wg-quick(8) itself.

For that reason, since November, wg-quick(8) has added a few iptables(8)
rules. I really dislike having wg-quick(8) grow any sort of dependency
on iptables(8) (and eventually on nftables(8)), but at the moment, I
don't see a viable alternative. Suggestions are welcome. In particular,
we're adding a rule that is something like:

    iptables -t raw -I PREROUTING ! -i wg0 -d -m addrtype ! --src-type LOCAL -j DROP

where wg0 is the WireGuard interface and is the local IP of
the interface.

This says to drop all packets that are sent to that IP address that
aren't coming from the WireGuard interface. And it's done very early in
Netfilter, in the "raw" table. The researchers have confirmed that this
mitigates the issue.

Adding iptables(8) into wg-quick(8) has been predictably problematic,
and it'll probably be at least another snapshot until we get things
bug-free on all the different variations of the utility that distros
ship, but we'll get there. In the meantime, I'd certainly appreciate
patches to do the same with nftables(8), as well as some fresh thoughts
on how to accomplish this same thing _without_ the firewall. (In the
process of writing this email, for example, I had an idea regarding
ip-rule(8) that might work out, but I haven't tried yet.) We also have
some non-Linux operating systems to consider.

Feedback welcome.

WireGuard mailing list

             reply	other threads:[~2019-12-05 19:13 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-05 19:13 Jason A. Donenfeld [this message]
2019-12-05 19:50 ` Regarding "Inferring and hijacking VPN-tunneled TCP connections" Vasili Pupkin
2019-12-05 20:24   ` Jason A. Donenfeld
2019-12-05 21:28     ` Vasili Pupkin
2019-12-06 15:18       ` Jason A. Donenfeld
2019-12-06 17:21         ` Vasili Pupkin
2019-12-07 20:51         ` Lonnie Abelbeck
2019-12-06 12:58     ` William J. Tolley
2019-12-06 15:06     ` Jordan Glover
2019-12-06 15:08       ` Jason A. Donenfeld
2019-12-06 16:03         ` Vasili Pupkin
2019-12-06 16:12           ` Jordan Glover
2019-12-06 17:06             ` Vasili Pupkin
2019-12-05 20:10 ` zrm

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191205191318.GA44156@zx2c4.com \
    --to=jason@zx2c4.com \
    --cc=wireguard@lists.zx2c4.com \


* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).