The VPN service Personal Web Entry (PIA) has launched a brand new model of its Linux shopper which fixes a crucial vulnerability that might have allowed distant attackers to bypass the software program’s kill swap.
The vulnerability, tracked as CVE-2020-15590, was found by Sick Codes and it impacts variations 1.5 via 2.3 of PIA’s Linux shopper.
The shopper’s kill switch is configured to dam all inbound and outbound community site visitors when a VPN connection drops. Nonetheless, privileged purposes nonetheless have the power to ship and obtain community site visitors even when the kill swap is turned on if internet.ipv4.ip_forward has been enabled within the system kernel parameters.
In a vulnerability disclosure on its website, Sick Codes defined {that a} Docker container working on a number with the VPN turned off and the kill swap turned on can proceed utilizing the web and leak the host IP. This might enable a distant attacker to learn delicate info by intercepting community site visitors.
Utilizing Docker with a VPN
TechRadar Professional reached out to PIA relating to the now patched vulnerability and a spokesperson for the corporate supplied the next assertion explaining the difficulty:
“We have been contacted in relation to the usage of the Docker platform completely with the PIA Linux shopper in July 2020. Docker on Linux had not beforehand been supported by PIA because the Docker engine runs with root privileges, and we can not assure that the killswitch will shield software program that’s itself in a position to management networking. The problem raised solely pertains to utilizing the PIA Linux shopper within the host whereas working different Docker containers on that very same host. This concern pertains to forwarded community connections on Linux, that are utilized by the Docker platform. This isn’t to be confused with widespread “VPN containers” utilized by customers on-line, which create a VPN connection contained in the container for use for particular apps solely.
“For the difficulty raised, we’ve no legacy buyer assist requests referring to this use case. We welcome enter from neighborhood sources in addressing their utilization and with this in thoughts, we took the choice to assist this use case with our subsequent Linux shopper launch.”
PIA customers working Docker on Linux ought to improve to version 2.4 of the corporate’s shopper as quickly as attainable to keep away from any potential assaults leveraging this vulnerability.
- Additionally take a look at our full record of the best VPN companies
