PIA

Tue Dec 1 17:04:46 UTC 2015

Yes, I would assume so.

Here's the email I got from PIA:

Dear Valued Customer,

On November 17, we were privately notified of an IP address leak
vulnerability affecting the port forwarding feature of our service.
Essentially, anyone connecting to a forwarded port on any of our VPN
gateways could have their real IP address leaked to an attacker
specifically targeting a PIA user.

Within 12 hours of the initial report, we developed and tested what we
thought was a complete fix, and deployed it to all of our VPN gateways.

On November 26, the researchers who discovered the vulnerability made it
public and we quickly noticed that our service was still vulnerable to the
IP address leak in certain cases, despite our initial fix. After further
investigation, we also realized there was a separate but related issue on
our desktop client. To fix this issue we are releasing updated VPN apps to
prevent any leaks. We released v.52 on November 27.

Protecting your privacy is our top priority and although exploiting this
vulnerability is difficult and requires an attacker to specifically target
you, we feel like we let you down with our initial response. Please accept
our apologies, we are sorry.

We highly recommend users update to v.52 (or later) of the client. To
ensure all of our beloved users remain protected, we have pushed an update
to existing clients. Please update immediately from the application or
visit one of the following links:

Windows:
https://www.privateinternetaccess.com/installer/download_installer_win
<http://email2.privateinternetaccess.com/wf/click?upn=1RUIlXMkBg9qBZM-2BaL-2FG04RtrRgWFop2cKNZWzOGkWSpJwh8lwXJrlxZrpZPaP4uJchRCqa-2FlA6z8gkYV0ztk5Qcj69-2FpvY0o5fKklMobgg-3D_fxo0A4hUnxl7ADgs4kSH7-2BRRYHs4OxPJvwfGIA04Mp2jfg3a-2FMonwe1uI5qW-2BJ-2BzPXkDVlmQiO3StGKTJVdALHJw6nvmK2qCXa6dd3E9PsF76lcxX72-2F3zxzoBMdvhzXjfL2Ri-2FONCP2tmdMKrti5EYI9aVN2E8lzpWbAhlLgIhmdgBA69zZ9Foa4g2VPZIDuheNPXsGksmAyoQb-2FGdaCFoPnukxsb0bIkfFTVCjqYVHBaMZpeCKqU-2FVFfTft4jP5Xd2C0l5XIBwMXpEfnKZ-2F9j3rQXuPEStrUc7F2VcAQEbyFsqxb-2FILW0dmq-2BFUTZPjdcWICx-2FMlCI7qlEXwGiNBb-2F-2ByE8GrSdhBL19lrTJpGQ3hc7cXzBEEf0rmn3pQ9smwTKF5O6lxUkqJAD1t-2BTuw-3D-3D>

Mac: https://www.privateinternetaccess.com/installer/download_installer_osx
<http://email2.privateinternetaccess.com/wf/click?upn=1RUIlXMkBg9qBZM-2BaL-2FG04RtrRgWFop2cKNZWzOGkWSpJwh8lwXJrlxZrpZPaP4uJchRCqa-2FlA6z8gkYV0ztk3TpQHRVE7BjlBJ38K02x-2FI-3D_fxo0A4hUnxl7ADgs4kSH7-2BRRYHs4OxPJvwfGIA04Mp2jfg3a-2FMonwe1uI5qW-2BJ-2BzPXkDVlmQiO3StGKTJVdALN46VwMbKGjycHF3gvnrLTNK5M7jG-2FWmBdhQpSYFpnxTONHXbQ2IOMWql5I0-2Byb7NST8b7gf67HAj1sHRUVZ1M2tMMqgPFHLP-2FeUmxrklCLdJeCEtXp4h6BeJ-2FEUzD4FiuGNa8g4Q62tGZtTflpo0ZX7WGaIY06zkaFSCWyvjwMg1p18D1OA4p4ryZoi37mtpgnvM4s6Xk5laFoOZtfdN3jjssLngK8gX149SRwWi8NsaY41gSv09ROywhab9OQH2jmL8jy-2Bks1KW-2BHCsZ43ebMO54-2BWrCkpIRKPhL7-2F7ZQNE-2Bw-2BQUMk92LQ6zdH3FjG-2Bw-3D-3D>

Technical Facts:

The vulnerability relies on the fact that a direct route exists between the
VPN client and server. If the client accesses a forwarded port on the VPN
server that is maliciously set up by an attacker, the client will use the
direct route using the user's default route, bypassing the VPN entirely.

Our initial fix was to block VPN clients from accessing forwarded ports on
the same server at the VPN gateway firewall level, but we soon discovered a
flaw in our desktop clients that made the fix incomplete. When the client
disconnected, the direct route to the VPN gateway was not removed, thereby
making users vulnerable even after they disconnected from the VPN.
Beginning with v.52, we remove these "lingering" direct routes to the VPN
gateway at disconnect time.

Note: If you are connecting to our service with a native OpenVPN client, or
PIA's Android or iOS apps, you do not need a client-side fix.

Sincerely,
Private Internet Access Team
Subsidiary of London Trust Media Inc.

On Tue, 1 Dec 2015 at 11:59 LP <linuxpusher2 at gmail.com> wrote:

> Raymond said: "Hi all, PIA advises us that there was a IP address
> vulnerability"
> Was this part of the pop up update I received yesterday ?
> Thanks
>
>
>
> On 1 December 2015 at 09:51, Raymond House <raymondh40 at gmail.com> wrote:
>
>> OK Daniel and Cranky, thanks for your inputs.I do have the little green
>> guy at the top but on earlier version it did not work that way and yes I
>> installed PIA the same way Cranky.On that earlier version I had to go
>> through the manager to get it working. Anyway, I am doing all my searching
>> now through "Framabee" and I will not resubscribe to PIA. Thanks.
>>
>> On Tue, Dec 1, 2015 at 8:36 AM, CrankyOldBugger <
>> crankyoldbugger at gmail.com> wrote:
>>
>>> As I understand it, and I recommend that you get a second opinion, if
>>> you have the little green man icon at the top then you're using the PIA
>>> client, but if you connect by going through the Network Manager icon, then
>>> selecting from the VPN list, that this is the OpenVPN client.
>>>
>>> The little green man part I'm sure of, the NM/VPN/OpenVPN part I'm 50%
>>> sure.  So check that.
>>>
>>> I'm assuming that you installed your Linux client the same way I did, by
>>> following
>>> https://www.privateinternetaccess.com/pages/client-support/ubuntu-openvpn.
>>> At some point in that process it does seem to want to install OpenVPN, so
>>> we could be good to go, but I would investigate that further.
>>>
>>> I updated my little green man on my Windows machines, I haven't seen an
>>> update for Linux yet.
>>>
>>> Still, PIA was possibly the first to offer a fix for this security issue
>>> (even though the first fix didn't work), then they followed up with a very
>>> explanatory letter saying that they were wrong and that we should do Fix
>>> #2.  That gives me some comfort knowing that they're on the ball.
>>>
>>>
>>> On Tue, 1 Dec 2015 at 05:06 Raymond House <raymondh40 at gmail.com> wrote:
>>>
>>>> Hi all, PIA advises us that there was a IP address vulnerability but at
>>>> the end of the explanation they note that if we are connecting to their
>>>> service with a native Open VPN client there is no client side fix
>>>> required.How do I know if I'm connecting with a native OpenVPN client? Not
>>>> sure what that means.Can anyone clear this up for me, thanks.
>>>> --
>>>> ubuntu-ca mailing list
>>>> ubuntu-ca at lists.ubuntu.com
>>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ca
>>>>
>>>
>>> --
>>> ubuntu-ca mailing list
>>> ubuntu-ca at lists.ubuntu.com
>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ca
>>>
>>>
>>
>> --
>> ubuntu-ca mailing list
>> ubuntu-ca at lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ca
>>
>>
> --
> ubuntu-ca mailing list
> ubuntu-ca at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ca
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-ca/attachments/20151201/7d22671f/attachment.html>