New Vuln Lets Attackers Sniff Or Hijack VPN Connections

Binary CodeImage: kalhh

Academics have disclosed this week a security flaw impacting Linux, Android, macOS, and other Unix-based operating systems that allows an attacker to sniff, hijack, and tamper with VPN-tunneled connections.

The vulnerability — tracked as CVE-2019-14899 — resides in the networking stacks of multiple Unix-based operating systems, and more specifically, in how the operating systems reply to unexpected network packet probes.

According to the research team, attackers can use this vulnerability to probe devices and discover various details about the user’s VPN connection status.

Attacks can be carried out from a malicious access point or router, or by an attacker present on the same network “to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website.”

Furthermore, the research team also claims they were also able to determine the exact packet sequence in certain VPN connections.

“This allows us to inject data into the TCP stream and hijack connections,” said William J. Tolley, one of the three members of the Breakpointing Bad research team at the University of New Mexico.

Multiple operating systems impacted

The team said they tested and successfully exploited the vulnerability on the following operating systems:

Ubuntu 19.10 (systemd)
Fedora (systemd)
Debian 10.2 (systemd)
Arch 2019.05 (systemd)
Manjaro 18.1.1 (systemd)
Devuan (sysV init)
MX Linux 19 (Mepis+antiX)
Void Linux (runit)
Slackware 14.2 (rc.d)
Deepin (rc.d)
FreeBSD (rc.d)
OpenBSD (rc.d)

Other Unix-based operating systems like Android and macOS are also impacted.

The research team said their attack worked against VPN technologies like OpenVPN, WireGuard, and IKEv2/IPSec, and possibly others, as “the VPN technology used does not seem to matter.”

A “very impressive” attack

In response to the public disclosure, Jason A. Donenfeld, the creator of the WireGuard open-source VPN, said the “this isn’t a WireGuard vulnerability, but rather something in the routing table code and/or TCP code on affected operating systems.”

“It appears to affect basically most common Unix network stacks,” Donenfeld added.

Donenfeld described CVE-2019-12899 as a “nice vuln[erability]” while Colm MacCárthaigh, an Amazon Web Services engineer and member of the Apache HTTPd development team, described the attack as “very impressive.”

According to the research team, the attack relies on sending unsolicited network packets to a victim’s device (Linux router, Android phone, macOS desktop, etc.) and observing how the targeted device replies.

The cleverness of the attack resides in how the research team crafted these packets, and the way in which they used the replies to infer what the user was doing inside their VPN tunnel.

The research team’s public disclosure contains more technical details, along with possible mitigations that server owners can apply. The attack is not trivial to execute so this would exclude scenarios of mass-exploitation until patches will be available. However, the vulnerability is ideal for targeted attacks, if the attacker has the expertise to carry it out.