Jump to content


Photo

PSA: Windows Firewall Network Lock is broken in 2.14.5

security network lock bug

  • Please log in to reply
9 replies to this topic

#1 Xwb2M9yPbL

Xwb2M9yPbL

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 19 June 2018 - 05:28 PM

TLDR: Network lock via the Windows Firewall is completely broken in Eddie 2.14.5.

 

The following is based on a fresh Windows 7 Professional SP1 install (Vmware VM), Eddie 2.14.

5 is at stock settings except for Network Lock being changed from "Automatic" to "Windows Firewall (Not Recommended)".

  1. Upon enabling Network Lock, the following Outbound firewall rules are created: Firewall rules.png
  2. The "Eddie - Out - Allow IPs" rule (the one highlighted) allows ALL outgoing connections !?
  3. Indeed, no traffic is blocked when the VPN is not connected, thus breaking Network Lock

Enabling verbose logging shows the rule being created as follows:cmd.png

 

 

How on earth did this get through testing? I mean, I'm smiling, but I am very f***ing furious...

 

This really shakes the confidence that i had in AirVPN as a professional and technically competent VPN provider.



#2 go558a83nk

go558a83nk

    Advanced Member

  • Members2
  • PipPipPip
  • 1684 posts

Posted 19 June 2018 - 05:45 PM

hmmm.  I'm guessing it got through testing because people use automatic (WFP) not firewall and you apparently didn't help in testing. :)



#3 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7701 posts

Posted 19 June 2018 - 06:46 PM

Hello!

 

Thank you for the report. Please keep Network Lock at "Automatic" setting or "Windows Filtering Platform" while we investigate with maximum priority.

 

Kind regards



#4 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7701 posts

Posted 19 June 2018 - 07:01 PM

Hello!

 

We confirm the bug, it has been inserted starting from 2.14.

 

Needles to say that we will review with determination our internal method of testing and testing personnel. Unfortunately not even the whole community caught this issue, since version 2.14 has been in public beta testing starting from the end of January 2018 and nobody saw this, probably because this Network Lock method is clearly reported as not recommended.

 

Version 2.15.2 (which had been planned to be released as stable) will contain the fix. It will be released in a very reasonable time. In the meantime, Windows users should simply leave Network Lock at its default setting, or revert back to "Automatic" or "Windows Filtering Platform" if they changed the Network Lock method to "Windows Firewall (not recommended)".

 

Kind regards



#5 go558a83nk

go558a83nk

    Advanced Member

  • Members2
  • PipPipPip
  • 1684 posts

Posted 19 June 2018 - 07:02 PM

Hello!

 

We confirm the bug, it has been inserted starting from 2.14.

 

Needles to say that we will review with determination our internal method of testing and testing personnel. Unfortunately not even the whole community caught this issue, since version 2.14 has been in public beta testing starting from the end of January 2018 and nobody saw this, probably because this Network Lock method is clearly reported as not recommended.

 

Version 2.15.2 (which had been planned to be released as stable) will contain the fix and its release was anyway due for today. In the meantime, Windows users should simply leave Network Lock at its default setting, or revert back to "Automatic" or "Windows Filtering Platform" if they changed the Network Lock method to "Windows Firewall (not recommended)".

 

Kind regards

 

 

 

 

https://airvpn.org/topic/28327-airvpn-dropping-connection-and-leaving-vulnerable/#entry74816

 

another user, most likely using "automatic", reporting network lock not working??



#6 Xwb2M9yPbL

Xwb2M9yPbL

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 19 June 2018 - 07:20 PM

Hello!

 

We confirm the bug, it has been inserted starting from 2.14.

 

Needles to say that we will review with determination our internal method of testing and testing personnel. Unfortunately not even the whole community caught this issue, since version 2.14 has been in public beta testing starting from the end of January 2018 and nobody saw this, probably because this Network Lock method is clearly reported as not recommended.

 

Version 2.15.2 (which had been planned to be released as stable) will contain the fix. It will be released in a very reasonable time. In the meantime, Windows users should simply leave Network Lock at its default setting, or revert back to "Automatic" or "Windows Filtering Platform" if they changed the Network Lock method to "Windows Firewall (not recommended)".

 

Kind regards

First of all thanks a lot for the quick and clear response to this issue, it goes a long way towards restoring my confidence in this service :good:. In retrospect i can see how this could have been missed by testers, as it is unlikely for users to select an option marked as Not Recommended. Adding an explicit smoke test for this issue in the future would probably be the best way to go.

 

On a related note, could you please clarify a couple of points regarding network lock?

  1. Is the (recommended) WFP protection only active while Eddie is running?
  2. If yes, would Eddie work if network access is blocked (via the windows firewall) for everything except the .exe files in the Eddie install folder?

I understand that Windows Firewall-based protection is generally not recommended since any application can modify its configuration (nice one Microsoft...), but it would be nice to have a second layer of protection in case the connection drops and Eddie crashes.



#7 DarkSpace-Harbinger

DarkSpace-Harbinger

    Advanced Member

  • Members2
  • PipPipPip
  • 83 posts

Posted 19 June 2018 - 07:22 PM


Hello!

 

We confirm the bug, it has been inserted starting from 2.14.

 

Needles to say that we will review with determination our internal method of testing and testing personnel. Unfortunately not even the whole community caught this issue, since version 2.14 has been in public beta testing starting from the end of January 2018 and nobody saw this, probably because this Network Lock method is clearly reported as not recommended.

 

Version 2.15.2 (which had been planned to be released as stable) will contain the fix. It will be released in a very reasonable time. In the meantime, Windows users should simply leave Network Lock at its default setting, or revert back to "Automatic" or "Windows Filtering Platform" if they changed the Network Lock method to "Windows Firewall (not recommended)".

 

Kind regards

@staff, the issue is bigger than this. It appears to be affecting WFP/Automatic as well.

 

What i don't know is how far the leaks go beyond command prompt.

 

Torrent applications that always connect directly to IP's are likely compromised.

 

EDIT: Pings in command prompt will go through if allowed in Network Lock. Nothing to worry about!



#8 Xwb2M9yPbL

Xwb2M9yPbL

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 19 June 2018 - 07:32 PM

Hello!

 

We confirm the bug, it has been inserted starting from 2.14.

 

Needles to say that we will review with determination our internal method of testing and testing personnel. Unfortunately not even the whole community caught this issue, since version 2.14 has been in public beta testing starting from the end of January 2018 and nobody saw this, probably because this Network Lock method is clearly reported as not recommended.

 

Version 2.15.2 (which had been planned to be released as stable) will contain the fix. It will be released in a very reasonable time. In the meantime, Windows users should simply leave Network Lock at its default setting, or revert back to "Automatic" or "Windows Filtering Platform" if they changed the Network Lock method to "Windows Firewall (not recommended)".

 

Kind regards

 

 

@staff, the issue is bigger than this. It appears to be affecting WFP/Automatic as well.

 

What i don't know is how far the leaks go beyond command prompt.

 

Torrent applications that always connect directly to IP's are likely compromised.

 

rHEG3Tb.png

 

Have you tried this with anything other than ping? Per default, pings are alowed by Network Lock (they are pretty much the only thing it allows), but any other type of traffic should be blocked.



#9 go558a83nk

go558a83nk

    Advanced Member

  • Members2
  • PipPipPip
  • 1684 posts

Posted 19 June 2018 - 07:37 PM

It's easy to test if the above result using WFP is a bug by just disallowing pings in the settings right?



#10 DarkSpace-Harbinger

DarkSpace-Harbinger

    Advanced Member

  • Members2
  • PipPipPip
  • 83 posts

Posted 19 June 2018 - 07:51 PM

It's easy to test if the above result using WFP is a bug by just disallowing pings in the settings right?

 

Your correct, i was being stupid.

 

I've tested it to make sure. I'll correct the other post.

 

ituXUvy.png







Similar Topics Collapse


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

Servers online. Online Sessions: 14502 - BW: 57419 Mbit/sYour IP: 54.226.36.60Guest Access.