Vulnerability allows attackers to listen and intercept VPN connections

Researchers from the University of New Mexico discovered a vulnerability affecting Ubuntu, Fedora, Debian, FreeBSD, OpenBSD, macOS, iOS Android, and other Unix-based OSs. Vulnerability allows to listen, intercept and interfere with the operation of VPN connections.

The bug got the identifier CVE-2019-14899, and the root of the problem lies in the network stacks of a number of Unix-based operating systems, and more precisely, in the way these OSs respond to unexpected network packets.

An attacker can use the vulnerability to “probe” the device and identify various details about the status of the user’s VPN connection.

“We have discovered a vulnerability in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android which allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream. This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel”, – write researchers William J. Tolley, Beau Kujath, Jedidiah R. Crandall from Breakpointing Bad & University of New Mexico.

Attacks can be performed on behalf of a malicious access point or router, or an attacker can be present on the same network to determine if another user is connected to the VPN, find out his virtual IP address assigned by the server, and determine whether the victim is connected to a specific site. Even worse, the bug allows to determine the exact sequence of packets in certain VPN connections, which can be used to inject into the TCP data stream and compromise the connection.

Read also: Amazon Introduces Access Analyzer – Cloud Basket Security Monitoring Service

Experts describe three steps for carrying out an attack:

  1. Determining the VPN client’s virtual IP address
  2. Using the virtual IP address to make inferences about active connections
  3. Using the encrypted replies to unsolicited packets to determine the sequence and acknowledgment numbers of the active connection to hijack

Researchers report that they have successfully exploited the vulnerability in the following operating systems, and also write that the problem extends to Android, iOS and macOS:Ubuntu 19.10 (systemd)

  1. Fedora (systemd)
  2. Debian 10.2 (systemd)
  3. Arch 2019.05 (systemd)
  4. Manjaro 18.1.1 (systemd)
  5. Devuan (sysV init)
  6. MX Linux 19 (Mepis + antiX)
  7. Void Linux (runit)
  8. Slackware 14.2 (rc.d)
  9. Deepin (rc.d)
  10. FreeBSD (rc.d)
  11. OpenBSD (rc.d)
It is emphasized that the attack works against OpenVPN, WireGuard, and IKEv2 / IPSec, and so on, since the VPN technology itself does not matter, nor does the use of IPv4 or IPv6.
[Total: 0    Average: 0/5]
Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Check Also

HackerOne opened access to information

HackerOne Analyst Opens Researcher Access to Confidential Information

HackerOne spoke about an incident that recently occurred because of the fault of one of …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.