Researchers from the University of New Mexico have discovered a vulnerability, tracked as CVE-2019-14899, that can be exploited by an attacker to determine if a user is connected to a VPN and hijack active TCP connections in a VPN tunnel.
The flaw could be exploited by an attacker who shares the same network segment with the targeted user to determine if they are using a VPN, obtain the virtual IP address, determine if the target is currently visiting a specified website, and even inject data into the TCP stream. The experts explained that in this way, it is possible to hijack active connections within the VPN tunnel.
“I’ am reporting a vulnerability that exists on most Linux distros, and other *nix operating systems which allows a network adjacent attacker to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website.” reads the advisory published by the experts. “Additionally, we are able to determine the exact seq and
Another attack scenario sees hackers set up a rogue access point, below an the attack sequence described by the experts:
The CVE-2019-14899 vulnerability affects many Linux distros and Unix operating systems (i.e. Ubuntu, Fedora and Debian, FreeBSD, OpenBSD, macOS, iOS and Android), the team of experts ethically reported the issue to the development teams of the impacted OSs at the time of its discovery.
The experts successfully tested the flaw against OpenVPN, WireGuard, and IKEv2/IPSec, but it has not been tested against Tor. Experts believe Tor not vulnerable because it operates in a SOCKS layer and implements authentication and encryption that happens in
Experts pointed out that the attack did not work against any Linux distribution they have tested until the release of Ubuntu 19.10. The researchers noticed that the rp_filter settings were set to “loose” mode. The default settings in d/50-default in the repository were changed from “strict” to “loose” mode on November 28, 2018, this means that the distributions using a version of systemd without modified configurations after this date are now vulnerable.
Possible mitigations include turning reverse path filtering on, using
The researchers will publish a paper that will include technical details of the vulnerability.