Pierluigi Paganini December 06, 2019

Researchers discovered a vulnerability tracked as CVE-2019-14899 that can be exploited to hijack active TCP connections in a VPN tunnel

Researchers from the University of New Mexico have discovered a vulnerability, tracked as CVE-2019-14899, that can be exploited by an attacker to determine if a user is connected to a VPN and hijack active TCP connections in a VPN tunnel.

The flaw could be exploited by an attacker who shares the same network segment with the targeted user to determine if they are using a VPN, obtain the virtual IP address, determine if the target is currently visiting a specified website, and even inject data into the TCP stream. The experts explained that in this way, it is possible to hijack active connections within the VPN tunnel.

“I’ am reporting a vulnerability that exists on most Linux distros, and other *nix operating systems which allows a network adjacent attacker to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website.” reads the advisory published by the experts. “Additionally, we are able to determine the exact seq and ack numbers by counting encrypted packets and/or examining their size. This allows us to inject data into the TCP stream and hijack connections.”

Another attack scenario sees hackers set up a rogue access point, below an the attack sequence described by the experts:

• Determining the VPN client’s virtual IP address.
• Using the virtual IP address to make inferences about active connections.
• Using the encrypted replies to unsolicited packets to determine the sequence and acknowledgment numbers of the active connection to hijack the TCP session

The CVE-2019-14899 vulnerability affects many Linux distros and Unix operating systems (i.e. Ubuntu, Fedora and Debian, FreeBSD, OpenBSD, macOS, iOS and Android), the team of experts ethically reported the issue to the development teams of the impacted OSs at the time of its discovery.

The experts successfully tested the flaw against OpenVPN, WireGuard, and IKEv2/IPSec, but it has not been tested against Tor. Experts believe Tor not vulnerable because it operates in a SOCKS layer and implements authentication and encryption that happens in userspace. Other VPN technologies could be affected by the issue, the vulnerability could be exploited against both IPv4 and IPv6 connections.

Experts pointed out that the attack did not work against any Linux distribution they have tested until the release of Ubuntu 19.10. The researchers noticed that the rp_filter settings were set to “loose” mode. The default settings in d/50-default in the repository were changed from “strict” to “loose” mode on November 28, 2018, this means that the distributions using a version of systemd without modified configurations after this date are now vulnerable.

Possible mitigations include turning reverse path filtering on, using bogon filtering —filtering bogus (fake) IP addresses, or encrypting packet size and timing.

The researchers will publish a paper that will include technical details of the vulnerability.

Pierluigi Paganini

(SecurityAffairs – CVE-2019-14899, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]