A serious vulnerability has surfaced affecting VPN connections on many systems. Upon exploitation, this vulnerability allows a potential attacker to sniff on other users’ VPN data. The attacker can also hijack VPN-tunneled connections.
VPN Vulnerability Allows Connection Hijacking
Researchers from Breakpointing Bad & University of New Mexico have discovered a serious vulnerability affecting VPN connections. An attacker on the network can exploit this vulnerability to hijack VPN connections and sniff users’ data.
As explained in the researchers’ public disclosure, the vulnerability CVE-2019-14899 affects most Linux and Unix-based systems, including Android and macOS.
We have discovered a vulnerability in Linux, FreeBSD, OpenBSD, macOS, iOS, and Android which allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream.
In brief, conducting the attack requires the attacker to access four components. These include two components controlled by the attacker: the victim’s device and the access point (AP), and two other components outside the attackers’ control: the VPN server, and the webserver.
The overall exploit behavior may vary for different systems. For all vulnerable OS, the flaw is exploitable and ultimately allows the attacker to hijack TCP connections.
More technical details about the attack and the list of vulnerable systems are available in the research team’s disclosure.
The researchers plan to share a detailed paper on their findings in the future after a workaround is implemented. For now, they have disclosed the vulnerability, that too, after informing the affected services, including WireGuard, Systemd, OpenVPN, Apple, Google and Linux distros.
However, until a workaround is available, the researchers have shared some possible mitigations. These include,
- Turning reverse path filtering on
- Bogon filtering
- Encrypted packet size and timing
Let us know your thoughts in the comments.