William J. Tolley

**Name of the Vulnerable Software and Affected Versions** Linux (affected versions not specified) FreeBSD (affected versions not specified) OpenBSD (affected versions not specified) MacOS (affected versions not specified) iOS (affected versions not specified) Android (affected versions not specified) **Description** A vulnerability was discovered that allows a malicious access point or an adjacent user to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use. This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel. The issue affects Linux, FreeBSD, OpenBSD, Android, macOS, and iOS, among other Unix-like systems. Enabling the reverse path filtering mechanism (rp filter) in strict mode for IPv4 can neutralize the problem. **Recommendations** For Linux, consider enabling the rp filter mechanism in strict mode for IPv4 to mitigate the issue. For other affected systems, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Android kernel (affected versions not specified) **Description** The issue concerns a possible information disclosure in the Android kernel's VPN routing. This could lead to remote information disclosure by an adjacent network attacker with no additional execution privileges needed. User interaction is not required for exploitation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.