Researchers from the University of New Mexico have unearthed a vulnerability that can be used by an attacker to determine if a user is connected to a VPN and hijack active TCP connections in a VPN tunnel. The flaw, tracked as SB2019120905 (CVE-2019-14899), affects most Linux distros, as well as other Unix-like operating systems including FreeBSD, OpenBSD, macOS, iOS, and Android.
The vulnerability resides in the networking stacks of multiple Unix-based operating systems, specifically, in how the operating systems reply to unexpected network packet probes. According to the research team, the attacks can be carried out by attackers using a malicious access point, or by an attacker present in the same network to “determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream”.
The researchers tested the vulnerability against multiple operating systems and found that most of them were vulnerable. An incomplete list of vulnerable operating systems provided below:
Ubuntu 19.10 (systemd)
Debian 10.2 (systemd)
Arch 2019.05 (systemd)
Manjaro 18.1.1 (systemd)
Devuan (sysV init)
MX Linux 19 (Mepis+antiX)
Void Linux (runit)
Slackware 14.2 (rc.d)
“This attack did not work against any Linux distribution we tested until the release of Ubuntu 19.10, and we noticed that the rp_filter settings were set to “loose” mode. We see that the default settings in sysctl.d/50-default.conf in the systemd repository were changed from “strict” to “loose” mode on November 28, 2018, so distributions using a version of systemd without modified configurations after this date are now vulnerable. Most Linux distributions we tested which use other init systems leave the value as 0, the default for the Linux kernel,” the researchers said.
The team also successfully tested the flaw against OpenVPN, WireGuard, and IKEv2/IPSec. While the vulnerability has not been tested against Tor the researchers believe that “it is not vulnerable since it operates in a SOCKS layer and includes authentication and encryption that happens in userspace.”
The full procedure for reproducing the vulnerability on Linux distros is described in the disclosure report here.