Rearchers have warned that a newly-discovered vulnerability in Unix systems may allow attackers to compromise VPN security in certain circumstances.
Named CVE-2019-14899, the vulnerability potentially allows an attacker to sniff, tamper and hijack active connections inside the VPN tunnel, due to the way in which operating systems handle unexpected network probes.
"We have discovered a vulnerability in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android which allows a malicious access point to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream", explained William J. Tolley of the Breakpointing Bad cybersecurity research team from the University of New Mexico in a blogpost.
The attack does require an attacker to either be on the same network as a potential victim, or to operate a malicious access point or router. However, the attack works against OpenVPN, WireGuard, and IKEv2/IPSec, and consists of three steps:
1. Determining the VPN client’s virtual IP address
2. Using the virtual IP address to make inferences about active
3. Using the encrypted replies to unsolicited packets to determine the
sequence and acknowledgment numbers of the active connection to hijack
the TCP session
Identifying the virtual IP of the victim is accomplished by sending SYN-ACK packets to the victim device across the entire virtual IP space (the default for OpenVPN is 10.8.0.0/24). When a SYN-ACK is sent to the correct virtual IP on the victim device, the device responds with a RST; when the SYN-ACK is sent to the incorrect virtual IP, nothing is received by the attacker, noted the researchers.
"Similarly, to test if there is an active connection for any given website, such as 126.96.36.199, for example, we send SYN or SYN-ACKs from 188.8.131.52 on port 80 (or 443) to the virtual IP of the victim across the entire ephemeral port space of the victim. The correct four-tuple will elicit no more than 2 challenge ACKs per second from the victim, whereas the victim will respond to the incorrect four-tuple with a RST for each packet sent to it."
Finally, once the attacker determined that the user has an active TCP connection to an external server, they can infer how to inject forged packets into the connection by continually spoofing reset packets into the inferred connection until they sniff challenge ACKs. "The attacker can reliably determine if the packets flowing from the client to the VPN server are challenge ACKs by looking at the size and timing of the encrypted responses in relation to the attacker's spoofed packets.
The victim’s device will trigger a TCP challenge ACK on each reset it receives that has an in-window sequence number for an existing connection. After the attacker has inferred the in-window sequence number for the client's connection, they can quickly determine the exact sequence number and in-window ACK needed to inject", summarised the researchers.
Javvad Malik, security awareness advocate at KnowBe4 commented: "This is not the first VPN vulnerability to be disclosed by researchers this year, and while this appears to be largely a proof of concept which may not be very easy to exploit in the wild. it does show a trend that as VPNs become more popular, they are coming under more scrutiny by researchers and by extension the criminals. Therefore enterprises should be aware of the growing risks to VPN services and ensure they make decisions which are best for their business. This could mean ensuring VPN products are kept fully patched and up to date as a priority, or change the type of information that is accessible remotely."
Paul Bischoff, privacy advocate, Comparitech.com agreed: "Although the potential repercussions of this attack can be quite serious, it's also quite difficult to pull off. From the looks of it, this attack can't yet be pulled off in bulk and must be targeted at specific users. If you're using a Unix-based operating system (MacOS, Android, Linux), then you can expect a patch soon. In the meantime, for the vast majority of affected users, using a VPN is still safer than not using one at all."
Affected operating systems include:
Ubuntu 19.10 (systemd)
Debian 10.2 (systemd)
Arch 2019.05 (systemd)
Manjaro 18.1.1 (systemd)
Devuan (sysV init)
MX Linux 19 (Mepis+antiX)
Void Linux (runit)
Slackware 14.2 (rc.d)