9 December 2019

New Linux vulnerability allows hijacking VPN connections on Unix systems


New Linux vulnerability allows hijacking VPN connections on Unix systems

Researchers from the University of New Mexico have unearthed a vulnerability that can be used by an attacker to determine if a user is connected to a VPN and hijack active TCP connections in a VPN tunnel. The flaw, tracked as SB2019120905 (CVE-2019-14899), affects most Linux distros, as well as other Unix-like operating systems including FreeBSD, OpenBSD, macOS, iOS, and Android.

The vulnerability resides in the networking stacks of multiple Unix-based operating systems, specifically, in how the operating systems reply to unexpected network packet probes. According to the research team, the attacks can be carried out by attackers using a malicious access point, or by an attacker present in the same network to “determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream”.

The researchers tested the vulnerability against multiple operating systems and found that most of them were vulnerable. An incomplete list of vulnerable operating systems provided below:

Ubuntu 19.10 (systemd)

Fedora (systemd)

Debian 10.2 (systemd)

Arch 2019.05 (systemd)

Manjaro 18.1.1 (systemd)

Devuan (sysV init)

MX Linux 19 (Mepis+antiX)

Void Linux (runit)

Slackware 14.2 (rc.d)

Deepin (rc.d)

FreeBSD (rc.d)

OpenBSD (rc.d)

“This attack did not work against any Linux distribution we tested until the release of Ubuntu 19.10, and we noticed that the rp_filter settings were set to “loose” mode. We see that the default settings in sysctl.d/50-default.conf in the systemd repository were changed from “strict” to “loose” mode on November 28, 2018, so distributions using a version of systemd without modified configurations after this date are now vulnerable. Most Linux distributions we tested which use other init systems leave the value as 0, the default for the Linux kernel,” the researchers said.

The team also successfully tested the flaw against OpenVPN, WireGuard, and IKEv2/IPSec. While the vulnerability has not been tested against Tor the researchers believe that “it is not vulnerable since it operates in a SOCKS layer and includes authentication and encryption that happens in userspace.”

The full procedure for reproducing the vulnerability on Linux distros is described in the disclosure report here.


Back to the list

Latest Posts

Windows encryption can be (ab)used by ransomware

Windows encryption can be (ab)used by ransomware

Ironically, concept ransomware takes advantage of a function in Windows designed to protect confidential data from an unauthorized access.
22 January 2020
New JhoneRat malware targets Middle Eastern countries using multiple cloud services

New JhoneRat malware targets Middle Eastern countries using multiple cloud services

The RAT implements anti-VM and anti-analysis tricks to conceal the malicious activities.
22 January 2020
A massive list of Telnet credentials for over half a million servers and smart devices published online

A massive list of Telnet credentials for over half a million servers and smart devices published online

This marks the biggest leak of Telnet passwords up to now.
20 January 2020