Researchers from the University of New Mexico have discovered a vulnerability, tracked as CVE-2019-14899, that can be exploited by an attacker to determine if a user is connected to a VPN and hijack active TCP connections in a VPN tunnel.
The flaw could be exploited by an attacker who shares the same network segment with the targeted user to determine if they are using a VPN, obtain the virtual IP address, determine if the target is currently visiting a specified website, and even inject data into the TCP stream. The experts explained that in this way, it is possible to hijack active connections within the VPN tunnel.
“I’ am reporting a vulnerability that exists on most Linux distros, and other *nix operating systems which allows a network adjacent attacker to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website.” reads the advisory published by the experts. “Additionally, we are able to determine the exact seq and ack numbers by counting encrypted packets and/or examining their size. This allows us to inject data into the TCP stream and hijack connections.”
Another attack scenario sees hackers set up a rogue access point, below an the attack sequence described by the experts:
The CVE-2019-14899 vulnerability affects many Linux distros and Unix operating systems (i.e. Ubuntu, Fedora and Debian, FreeBSD, OpenBSD, macOS, iOS and Android), the team of experts ethically reported the issue to the development teams of the impacted OSs at the time of its discovery.
The experts successfully tested the flaw against OpenVPN, WireGuard, and IKEv2/IPSec, but it has not been tested against Tor. Experts believe Tor not vulnerable because it operates in a SOCKS layer and implements authentication and encryption that happens in userspace. Other VPN technologies could be affected by the issue, the vulnerability could be exploited against both IPv4 and IPv6 connections.
Experts pointed out that the attack did not work against any Linux distribution they have tested until the release of Ubuntu 19.10. The researchers noticed that the rp_filter settings were set to “loose” mode. The default settings in d/50-default in the repository were changed from “strict” to “loose” mode on November 28, 2018, this means that the distributions using a version of systemd without modified configurations after this date are now vulnerable.
Possible mitigations include turning reverse path filtering on, using bogon filtering —filtering bogus (fake) IP addresses, or encrypting packet size and timing.
The researchers will publish a paper that will include technical details of the vulnerability.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – CVE-2019-14899, hacking)
[adrotate banner=”5″]
[adrotate banner=”13″]
The MITRE Corporation revealed that a nation-state actor compromised its systems in January 2024 by…
China-linked threat actors are preparing cyber attacks against U.S. critical infrastructure warned FBI Director Christopher…
The United Nations Development Programme (UNDP) has initiated an investigation into an alleged ransomware attack…
BlackBerry reported that the financially motivated group FIN7 targeted the IT department of a large…
An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.…
Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since…
This website uses cookies.