Security researcher William J. Tolley reported a recent vulnerability that attempts to encourage hackers to hijack VPN connections using either OpenVPN, WireGuard or IKEv2/IPSec VPN solutions on most UNIX-based operating systems.

The new security vulnerability could cause a local hacker to figure out whether another user is connected to a VPN (Virtual Private Network) network and whether or not there is an active connection to a particular website, affecting most GNU / Linux distributions, as well as FreeBSD, OpenBSD, Android, iOS and macOS systems.

The vulnerability (CVE-2019-14899) can be exploited with neighboring network access, which enables the attacker to enter either the vulnerable operating system’s broadcast or collision domain which helps attackers to hijack connections by inserting data into the TCP (Transmission Control Protocol) stream.

The vulnerability has been reported to work against multiple different VPN solutions such as OpenVPN, IKEv2/IPSec, and WireGuard, and irrespective of which VPN technology is being used, enabling hackers to determine the kind of packets sent via encrypted VPN tunnel.

“Most of the Linux distributions we tested were vulnerable, especially Linux distributions that use a version of systemd pulled after November 28th of last year which turned reverse path filtering off. However, we recently discovered that the attack also works against IPv6, so turning reverse path filtering on isn’t a reasonable solution,” said Tolley.

Noel Kuntze, Germany’s IT security consultant, states that this type of attack works regardless of whether or not you have a VPN and are not system specific. He also says they only have an effect on VPNs based on paths and not on VPNs based on policies. However, these attacks do not work against connections enabled by TOR and have a minimal effect on most users.

“An attacker could only inject packets by attacking the connection whenever it is unprotected (e.g. on a commercial VPN provider setup that would be when the connection “comes” out of the VPN server and goes to the destination on the WAN). So, you’re usually fine,” said Noel Kuntze.

The researcher reports to have tested the vulnerability against several common GNU / Linux and BSD versions such as;

  • Arch Linux 2019.05 (systemd)
  • Debian 10.2 (systemd)
  • Deepin (rc.d), Devuan (sysV init)
  • Fedora (systemd)
  • FreeBSD (rc.d)
  • Manjaro 18.1.1 (systemd)
  • MX Linux 19 (Mepis and antiX)
  • OpenBSD (rc.d)
  • Ubuntu 19.10 (systemd)
  • Slackware 14.2 (rc.d)
  • and Void Linux (runit), but it could affect many others as well.

According to the researcher’s mitigation can be achieved by turning on the reverse path filtering, using bogon filtering — filtering bogus IP addresses — or using encrypted packet size and timing. Also, we advise that users keep their systems up-to-date at all times and install all software updates that are available.

Following are the steps to run an attack intended to exploit this vulnerability and takeover a target’s VPN connection:

  1. Determine the virtual IP address of the VPN client.
  2. To create inferences about active connections, use virtual IP.
  3. Use the encrypted responses to unsolicited packets to evaluate the active connection sequence and acknowledgment numbers to hijack the TCP session.

In the publicly available disclosure report,  the full procedure for reproducing the vulnerability on Linux distros is explained in detail.

Leave a Reply

Your email address will not be published. Required fields are marked *