Show vulnerabilities with patch / with exploit
9 December 2019

New Linux vulnerability allows hijacking VPN connections on Unix systems


New Linux vulnerability allows hijacking VPN connections on Unix systems

Researchers from the University of New Mexico have unearthed a vulnerability that can be used by an attacker to determine if a user is connected to a VPN and hijack active TCP connections in a VPN tunnel. The flaw, tracked as SB2019120905 (CVE-2019-14899), affects most Linux distros, as well as other Unix-like operating systems including FreeBSD, OpenBSD, macOS, iOS, and Android.

The vulnerability resides in the networking stacks of multiple Unix-based operating systems, specifically, in how the operating systems reply to unexpected network packet probes. According to the research team, the attacks can be carried out by attackers using a malicious access point, or by an attacker present in the same network to “determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream”.

The researchers tested the vulnerability against multiple operating systems and found that most of them were vulnerable. An incomplete list of vulnerable operating systems provided below:

Ubuntu 19.10 (systemd)

Fedora (systemd)

Debian 10.2 (systemd)

Arch 2019.05 (systemd)

Manjaro 18.1.1 (systemd)

Devuan (sysV init)

MX Linux 19 (Mepis+antiX)

Void Linux (runit)

Slackware 14.2 (rc.d)

Deepin (rc.d)

FreeBSD (rc.d)

OpenBSD (rc.d)

“This attack did not work against any Linux distribution we tested until the release of Ubuntu 19.10, and we noticed that the rp_filter settings were set to “loose” mode. We see that the default settings in sysctl.d/50-default.conf in the systemd repository were changed from “strict” to “loose” mode on November 28, 2018, so distributions using a version of systemd without modified configurations after this date are now vulnerable. Most Linux distributions we tested which use other init systems leave the value as 0, the default for the Linux kernel,” the researchers said.

The team also successfully tested the flaw against OpenVPN, WireGuard, and IKEv2/IPSec. While the vulnerability has not been tested against Tor the researchers believe that “it is not vulnerable since it operates in a SOCKS layer and includes authentication and encryption that happens in userspace.”

The full procedure for reproducing the vulnerability on Linux distros is described in the disclosure report here.


Back to the list

Latest Posts

11 0Day vulnerabilities were discovered in the first half of 2020

11 0Day vulnerabilities were discovered in the first half of 2020

According to preliminary estimates of experts, in 2020 there will be as many 0Day vulnerabilities as in 2019.
3 August 2020
Researcher has published details of multiple Tor security issues

Researcher has published details of multiple Tor security issues

The expert also intends to disclose information about at least three alleged zero-day vulnerabilities.
31 July 2020
Microsoft will remove all Windows downloads signed with SHA-1

Microsoft will remove all Windows downloads signed with SHA-1

SHA-1 Windows content will be retired from the Microsoft Download Center on August 3, 2020
30 July 2020