Unix-like Systems Vulnerable to VPN Inferring and Hijacking Attacks

  • Linux, Unix, and Android are vulnerable to VPN clever sniffing attacks that can lead to hijacking.
  • Researchers have demonstrated the issue of multiple operating systems and VPN solutions.
  • The attack is not easy to carry out, so there is no risk of seeing this going mainstream before everyone applies fixes.

Three researchers from Breakpointing Bad and the University of New Mexico have discovered a vulnerability that exists in Linux and Unix-like operating systems like Android and macOS. Given the tracking code “CVE-2019-14899”, the flaw resides in the routing table code and the TCP code that is present in these systems. The vulnerability allows an attacker to perform traffic analysis via clever use of encrypted DNS queries in conjunction with error messages, leading to the sniffing of open TCP connection information. The attack was discovered quite a while back, but the researchers disclosed it publicly now, and after they allowed the vendors some time to plug the holes.

As the researchers detail, the flaw enables a network adjacent attacker to tell when another user is connected to a VPN, get the IP address that was assigned to them by the VPN server, and figure out if they are visiting a specific website or not. The team also managed to determine the SEQ and ACK numbers after analyzing the encrypted packet number and sizes and were able to inject data into the TCP stream which essentially leads to connection hijacking. The tests were done on CentOS, Manjaro 18.1.1, and Ubuntu 19.10, finding that the exploit works on both IPv4 and IPv6. Besides these systems, the following are also confirmed to be vulnerable: Fedora, Debian 10.2, Arch 2019.5, Devuan, MX Linux 19, Void Linux, Slackware 14.2, Deepin, FreeBSD, and OpenBSD. As the team points out, the same behavior with slight differences is also present on Android and macOS. As for the VPN products tested, these were OpenVPN, WireGuard, and IKEv2/IPSec, but the problem is there no matter what VPN product is used.

The attack and the crafting of the special packages that are required in order to enable the infiltrator to look inside the VPN tunnel of others are very clever, with some researchers calling the method impressive. That said, the chances of this exploding into massive-scale exploitation are pretty slim right now. Still, those who deploy VPN connections in highly critical environments should make sure to apply the following proposed mitigations: a.) turn reverse path filtering to “on” and in strict mode, b.) activate bogon filtering to hide IP address, c.) encrypt packet size and timing via padding or other means. It is important to point out however that these mitigations aren’t absolutely effective against the full range of the CVE-2019-14899 exploitation potential, but they are still valuable measures.

OpenVPN Access Server Product Manager, Johan Draaisma, has provided the following statement: “It doesn’t appear to be a flaw in the OpenVPN software, but a flaw in the configuration of the operating system itself. The issue is more in how the operating system deals with this type of attack in general, rather than anything going wrong in the VPN connection itself.”

Do you have anything to comment on the above? Share your thoughts with us in the section down below, or on our socials, on Facebook and Twitter.


Recent Articles

The U.S. Copyright Office Says Pirates Shouldn’t Lose Their Internet Connection

Breaking the law is condemnable, but barring someone out of the internet world is unconstitutional. The U.S. Copyright Office is calling the...

Russian Group Called “Cosmic Lynx” Exposed for Massive BEC Operation

The “Cosmic Lynx” actor has launched over 200 BEC campaigns during the past 12 months. The Russian group of hackers was making...

Amazon Prime Video Finally Gets Support for Multiple Profiles – Already Rolling Out in the USA & Around the World!

Prime Video now supports up to six individual profiles, all of which must be linked to one primary Amazon account. You’re free to...

“BlueLeaks” Portal Took Down and Server Seized by the German Police

“BlueLeaks” server located in Germany and seized by the authorities, so the portal is now down. The massive collection of US police...

Additional Evidence Points to the iPhone 12 Coming Without a Power Adapter & EarPods

A 3D concept rendering has surfaced online, showing the insert that will go into this year’s iPhone’s retail box. Once again, we see...