漏洞标题
N/A
漏洞描述信息
Private Internet Access (PIA) 的 Linux 1.5 到 2.3+ 的 VPN 客户端的一个漏洞允许远程攻击者绕过预期的 VPN 开关机制,并通过拦截网络流量读取敏感信息。自 1.5 以来,PIA 已支持一个“分隧道”的 OpenVPN 绕过选项。PIA 开关及其关联的 iptables 防火墙旨在保护在使用互联网时保护您。当开关配置为阻止所有入站和出站网络流量时,如果系统内核参数中已经启用了 net.ipv4.ip_forward,特权应用程序仍然可以继续发送和接收网络流量。例如,如果一个具有 VPN 关闭的主机上运行的 Docker 容器,并且开关打开,它仍然可以使用互联网,泄露主机 IP(CWE 200)。在 PIA 2.4.0+ 中,默认情况下启用策略路由,并将所有转发 packets 自动发送到 VPN 接口。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
漏洞类别
N/A
漏洞标题
N/A
漏洞描述信息
A vulnerability in the Private Internet Access (PIA) VPN Client for Linux 1.5 through 2.3+ allows remote attackers to bypass an intended VPN kill switch mechanism and read sensitive information via intercepting network traffic. Since 1.5, PIA has supported a “split tunnel” OpenVPN bypass option. The PIA killswitch & associated iptables firewall is designed to protect you while using the Internet. When the kill switch is configured to block all inbound and outbound network traffic, privileged applications can continue sending & receiving network traffic if net.ipv4.ip_forward has been enabled in the system kernel parameters. For example, a Docker container running on a host with the VPN turned off, and the kill switch turned on, can continue using the internet, leaking the host IP (CWE 200). In PIA 2.4.0+, policy-based routing is enabled by default and is used to direct all forwarded packets to the VPN interface automatically.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
Linux PIA VPN 信息泄露漏洞
漏洞描述信息
London Trust Media Private Internet Access(PIA)Client是一款用于匿名访问互联网的VPN(虚拟专用网络)客户端应用程序。 Linux 1.5到2.3+的PIA VPN客户端存在安全漏洞,攻击者可利用该漏洞绕过指定的VPN杀死开关机制,通过拦截网络流量读取敏感信息。
CVSS信息
N/A
漏洞类别
信息泄露