VPN vulnerability discovered on UNIX systems

A new vulnerability that appears to allow attackers to hijack VPN connections on most UNIX-based operating systems using either OpenVPN, WireGuard, or IKEv2/IPSec VPN solutions has been discovered according to security researcher William J. Tolley.

Affecting most GNU/Linux distributions, including Arch, the new security vulnerability could allow a local attacker to determine if another user is connected to a VPN (Virtual Private Network) server and whether or not there’s an active connection to a certain website.

The vulnerability (CVE-2019-14899) is exploitable with adjacent network access, which requires the attacker to have access to either the broadcast or collision domain of the vulnerable operating system, and lets attackers hijack connections by injecting data into the TCP (Transmission Control Protocol) stream.

The vulnerability has been reported to work against various popular VPN solutions, including OpenVPN, IKEv2/IPSec, as well as WireGuard, and it doesn’t matter which VPN technology is being used, thus allowing an attacker to determine the type of packets being sent through the encrypted VPN tunnel.

“Most of the Linux distributions we tested were vulnerable, especially Linux distributions that use a version of systemd pulled after November 28th of last year which turned reverse path filtering off. However, we recently discovered that the attack also works against IPv6, so turning reverse path filtering on isn’t a reasonable solution,” said Tolley.

Noel Kuntze, an IT security consultant from Germany, reports that this type of attacks work regardless of if you have a VPN or not and aren’t systemd specific. He also claims that they impact only route-based VPNs and not policy-based VPNs. Also, these attacks do not work against TOR-enabled connections and have a limited impact on most users.

“An attacker could only inject packets by attacking the connection whenever it is unprotected (e.g. on a commercial VPN provider set up that would be when the connection “comes” out of the VPN server and goes to the destination on the WAN). So you’re usually fine,” said Noel Kuntze. A satisfactory workaround is yet to be discovered

The researcher claims to have tested the vulnerability against several popular GNU/Linux and BSD distributions, including Arch Linux 2019.05 (systemd).

Possible mitigations include turning reverse path filtering on by creating a file /etc/sysctl.d/51-rpfilter.conf with the content  “net.ipv4.conf.all.rp_filter=1”, Bogon filtering, as well as encrypted packet size and timing, but each of the potential problems in different environments, so it advised waiting until the vulnerability is patched in your operating system of choice. Therefore, we’re recommending users to keep their systems up to date at all times and install all available software updates.

Follow us:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: