Skip to main content
This blog post is 5 years old and may be out of date.

A closer look at VPN vulnerability CVE-2019-14899

News 

A recent vulnerability affecting Linux and *nix systems can compromise VPN tunnel security. If you are using the Mullvad app with default settings, you are not affected. No action is necessary.

If you use the Mullvad app on Linux with local network sharing enabled, you are vulnerable to the first of three stages of the attack. A fix will be included in the next version of the app, due to be released next week. Read on for more details.

In order to exploit the vulnerability, an attacker needs to be on the same local network as your device. The attack consists of three stages:

  1. In the first stage of attack, the internal IP address of your VPN connection is revealed.
  2. The second stage leverages the previous stage to determine if you are currently visiting a specific website.
  3. The third stage leverages the second stage in order to eavesdrop on and hijack your web session for the website, assuming it is not protected by HTTPS.

Even with local network sharing enabled, the Mullvad app is only vulnerable to stage one while stage two and three are prevented by the app’s existing network protections.

As always, if you are using Mullvad on a local network that you don’t trust, we strongly recommend that you disable local network sharing. In order to keep you protected from this vulnerability, even in the event that you do enable local network sharing, we will include additional protections in the next release of the app.

For technical details on the vulnerability, see the original post on the oss-sec mailing list. For technical details on our security patch, see our GitHub Pull request. At Mullvad, we believe in the open-source model in which a program's source code is made available, or open, to anyone for viewing and using.