Vulnerability allows attackers to listen and intercept VPN connections

Researchers from the University of New Mexico discovered a vulnerability affecting Ubuntu, Fedora, Debian, FreeBSD, OpenBSD, macOS, iOS Android, and other Unix-based OSs. Vulnerability allows to listen, intercept and interfere with the operation of VPN connections.

The bug got the identifier CVE-2019-14899, and the root of the problem lies in the network stacks of a number of Unix-based operating systems, and more precisely, in the way these OSs respond to unexpected network packets.

An attacker can use the vulnerability to “probe” the device and identify various details about the status of the user’s VPN connection.

“We have discovered a vulnerability in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android which allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream. This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel”, – write researchers William J. Tolley, Beau Kujath, Jedidiah R. Crandall from Breakpointing Bad & University of New Mexico.

Attacks can be performed on behalf of a malicious access point or router, or an attacker can be present on the same network to determine if another user is connected to the VPN, find out his virtual IP address assigned by the server, and determine whether the victim is connected to a specific site. Even worse, the bug allows to determine the exact sequence of packets in certain VPN connections, which can be used to inject into the TCP data stream and compromise the connection.

Read also: Amazon Introduces Access Analyzer – Cloud Basket Security Monitoring Service

Experts describe three steps for carrying out an attack:

1. Determining the VPN client’s virtual IP address
2. Using the virtual IP address to make inferences about active connections
3. Using the encrypted replies to unsolicited packets to determine the sequence and acknowledgment numbers of the active connection to hijack

Researchers report that they have successfully exploited the vulnerability in the following operating systems, and also write that the problem extends to Android, iOS and macOS:Ubuntu 19.10 (systemd)

1. Fedora (systemd)
2. Debian 10.2 (systemd)
3. Arch 2019.05 (systemd)
4. Manjaro 18.1.1 (systemd)
5. Devuan (sysV init)
6. MX Linux 19 (Mepis + antiX)
7. Void Linux (runit)
8. Slackware 14.2 (rc.d)
9. Deepin (rc.d)
10. FreeBSD (rc.d)
11. OpenBSD (rc.d)