PIA
CrankyOldBugger
crankyoldbugger at gmail.com
Tue Dec 1 17:16:32 UTC 2015
My guess is that most Linux users are going the OpenVPN route, so they
won't be affected. Just update your OpenVPN as usual, through your
distro's update system (i.e. Ubuntu's apt-get update...)
Android and iOS clients are not affected either.
On Tue, 1 Dec 2015 at 12:12 Raymond House <raymondh40 at gmail.com> wrote:
> I got the same e-mail from PIA but nothing on how to update for linux
> users! ??
>
> On Tue, Dec 1, 2015 at 12:04 PM, CrankyOldBugger <
> crankyoldbugger at gmail.com> wrote:
>
>> Yes, I would assume so.
>>
>> Here's the email I got from PIA:
>>
>> Dear Valued Customer,
>>
>> On November 17, we were privately notified of an IP address leak
>> vulnerability affecting the port forwarding feature of our service.
>> Essentially, anyone connecting to a forwarded port on any of our VPN
>> gateways could have their real IP address leaked to an attacker
>> specifically targeting a PIA user.
>>
>> Within 12 hours of the initial report, we developed and tested what we
>> thought was a complete fix, and deployed it to all of our VPN gateways.
>>
>> On November 26, the researchers who discovered the vulnerability made it
>> public and we quickly noticed that our service was still vulnerable to the
>> IP address leak in certain cases, despite our initial fix. After further
>> investigation, we also realized there was a separate but related issue on
>> our desktop client. To fix this issue we are releasing updated VPN apps to
>> prevent any leaks. We released v.52 on November 27.
>>
>> Protecting your privacy is our top priority and although exploiting this
>> vulnerability is difficult and requires an attacker to specifically target
>> you, we feel like we let you down with our initial response. Please accept
>> our apologies, we are sorry.
>>
>> We highly recommend users update to v.52 (or later) of the client. To
>> ensure all of our beloved users remain protected, we have pushed an update
>> to existing clients. Please update immediately from the application or
>> visit one of the following links:
>>
>> Windows:
>> https://www.privateinternetaccess.com/installer/download_installer_win
>> <http://email2.privateinternetaccess.com/wf/click?upn=1RUIlXMkBg9qBZM-2BaL-2FG04RtrRgWFop2cKNZWzOGkWSpJwh8lwXJrlxZrpZPaP4uJchRCqa-2FlA6z8gkYV0ztk5Qcj69-2FpvY0o5fKklMobgg-3D_fxo0A4hUnxl7ADgs4kSH7-2BRRYHs4OxPJvwfGIA04Mp2jfg3a-2FMonwe1uI5qW-2BJ-2BzPXkDVlmQiO3StGKTJVdALHJw6nvmK2qCXa6dd3E9PsF76lcxX72-2F3zxzoBMdvhzXjfL2Ri-2FONCP2tmdMKrti5EYI9aVN2E8lzpWbAhlLgIhmdgBA69zZ9Foa4g2VPZIDuheNPXsGksmAyoQb-2FGdaCFoPnukxsb0bIkfFTVCjqYVHBaMZpeCKqU-2FVFfTft4jP5Xd2C0l5XIBwMXpEfnKZ-2F9j3rQXuPEStrUc7F2VcAQEbyFsqxb-2FILW0dmq-2BFUTZPjdcWICx-2FMlCI7qlEXwGiNBb-2F-2ByE8GrSdhBL19lrTJpGQ3hc7cXzBEEf0rmn3pQ9smwTKF5O6lxUkqJAD1t-2BTuw-3D-3D>
>>
>> Mac:
>> https://www.privateinternetaccess.com/installer/download_installer_osx
>> <http://email2.privateinternetaccess.com/wf/click?upn=1RUIlXMkBg9qBZM-2BaL-2FG04RtrRgWFop2cKNZWzOGkWSpJwh8lwXJrlxZrpZPaP4uJchRCqa-2FlA6z8gkYV0ztk3TpQHRVE7BjlBJ38K02x-2FI-3D_fxo0A4hUnxl7ADgs4kSH7-2BRRYHs4OxPJvwfGIA04Mp2jfg3a-2FMonwe1uI5qW-2BJ-2BzPXkDVlmQiO3StGKTJVdALN46VwMbKGjycHF3gvnrLTNK5M7jG-2FWmBdhQpSYFpnxTONHXbQ2IOMWql5I0-2Byb7NST8b7gf67HAj1sHRUVZ1M2tMMqgPFHLP-2FeUmxrklCLdJeCEtXp4h6BeJ-2FEUzD4FiuGNa8g4Q62tGZtTflpo0ZX7WGaIY06zkaFSCWyvjwMg1p18D1OA4p4ryZoi37mtpgnvM4s6Xk5laFoOZtfdN3jjssLngK8gX149SRwWi8NsaY41gSv09ROywhab9OQH2jmL8jy-2Bks1KW-2BHCsZ43ebMO54-2BWrCkpIRKPhL7-2F7ZQNE-2Bw-2BQUMk92LQ6zdH3FjG-2Bw-3D-3D>
>>
>> Technical Facts:
>>
>> The vulnerability relies on the fact that a direct route exists between
>> the VPN client and server. If the client accesses a forwarded port on the
>> VPN server that is maliciously set up by an attacker, the client will use
>> the direct route using the user's default route, bypassing the VPN
>> entirely.
>>
>> Our initial fix was to block VPN clients from accessing forwarded ports
>> on the same server at the VPN gateway firewall level, but we soon
>> discovered a flaw in our desktop clients that made the fix incomplete. When
>> the client disconnected, the direct route to the VPN gateway was not
>> removed, thereby making users vulnerable even after they disconnected from
>> the VPN. Beginning with v.52, we remove these "lingering" direct routes to
>> the VPN gateway at disconnect time.
>>
>> Note: If you are connecting to our service with a native OpenVPN client,
>> or PIA's Android or iOS apps, you do not need a client-side fix.
>>
>>
>>
>>
>> Sincerely,
>> Private Internet Access Team
>> Subsidiary of London Trust Media Inc.
>>
>>
>>
>>
>> On Tue, 1 Dec 2015 at 11:59 LP <linuxpusher2 at gmail.com> wrote:
>>
>>> Raymond said: "Hi all, PIA advises us that there was a IP address
>>> vulnerability"
>>> Was this part of the pop up update I received yesterday ?
>>> Thanks
>>>
>>>
>>>
>>> On 1 December 2015 at 09:51, Raymond House <raymondh40 at gmail.com> wrote:
>>>
>>>> OK Daniel and Cranky, thanks for your inputs.I do have the little green
>>>> guy at the top but on earlier version it did not work that way and yes I
>>>> installed PIA the same way Cranky.On that earlier version I had to go
>>>> through the manager to get it working. Anyway, I am doing all my searching
>>>> now through "Framabee" and I will not resubscribe to PIA. Thanks.
>>>>
>>>> On Tue, Dec 1, 2015 at 8:36 AM, CrankyOldBugger <
>>>> crankyoldbugger at gmail.com> wrote:
>>>>
>>>>> As I understand it, and I recommend that you get a second opinion, if
>>>>> you have the little green man icon at the top then you're using the PIA
>>>>> client, but if you connect by going through the Network Manager icon, then
>>>>> selecting from the VPN list, that this is the OpenVPN client.
>>>>>
>>>>> The little green man part I'm sure of, the NM/VPN/OpenVPN part I'm 50%
>>>>> sure. So check that.
>>>>>
>>>>> I'm assuming that you installed your Linux client the same way I did,
>>>>> by following
>>>>> https://www.privateinternetaccess.com/pages/client-support/ubuntu-openvpn.
>>>>> At some point in that process it does seem to want to install OpenVPN, so
>>>>> we could be good to go, but I would investigate that further.
>>>>>
>>>>> I updated my little green man on my Windows machines, I haven't seen
>>>>> an update for Linux yet.
>>>>>
>>>>> Still, PIA was possibly the first to offer a fix for this security
>>>>> issue (even though the first fix didn't work), then they followed up with a
>>>>> very explanatory letter saying that they were wrong and that we should do
>>>>> Fix #2. That gives me some comfort knowing that they're on the ball.
>>>>>
>>>>>
>>>>> On Tue, 1 Dec 2015 at 05:06 Raymond House <raymondh40 at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi all, PIA advises us that there was a IP address vulnerability but
>>>>>> at the end of the explanation they note that if we are connecting to their
>>>>>> service with a native Open VPN client there is no client side fix
>>>>>> required.How do I know if I'm connecting with a native OpenVPN client? Not
>>>>>> sure what that means.Can anyone clear this up for me, thanks.
>>>>>> --
>>>>>> ubuntu-ca mailing list
>>>>>> ubuntu-ca at lists.ubuntu.com
>>>>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ca
>>>>>>
>>>>>
>>>>> --
>>>>> ubuntu-ca mailing list
>>>>> ubuntu-ca at lists.ubuntu.com
>>>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ca
>>>>>
>>>>>
>>>>
>>>> --
>>>> ubuntu-ca mailing list
>>>> ubuntu-ca at lists.ubuntu.com
>>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ca
>>>>
>>>>
>>> --
>>> ubuntu-ca mailing list
>>> ubuntu-ca at lists.ubuntu.com
>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ca
>>>
>>
>> --
>> ubuntu-ca mailing list
>> ubuntu-ca at lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ca
>>
>>
> --
> ubuntu-ca mailing list
> ubuntu-ca at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ca
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-ca/attachments/20151201/484f90b0/attachment.html>
More information about the ubuntu-ca
mailing list