The security flaw affects OpenVPN, WireGuard and IKEv2/IPSec

Dec 6, 2019 03:29 GMT  ·  By

Security researcher William J. Tolley has reported a new vulnerability that appears to allow attackers to hijack VPN connections on most UNIX-based operating systems using either OpenVPN, WireGuard, or IKEv2/IPSec VPN solutions.

Affecting most GNU/Linux distributions, as well as FreeBSD, OpenBSD, Android, iOS and macOS systems, the new security vulnerability could allow a local attacker to determine if another user is connected to a VPN (Virtual Private Network) server and whether or not there's an active connection to a certain website.

The vulnerability (CVE-2019-14899) is exploitable with adjacent network access, which requires the attacker to have access to either the broadcast or collision domain of the vulnerable operating system, and lets attackers to hijack connections by injecting data into the TCP (Transmission Control Protocol) stream.

The vulnerability has been reported to work against various popular VPN solutions, including OpenVPN, IKEv2/IPSec, as well as WireGuard, and it doesn't matter which VPN technology is being used, thus allowing attacker to determine the type of packets being sent through the encrypted VPN tunnel.

"Most of the Linux distributions we tested were vulnerable, especially Linux distributions that use a version of systemd pulled after November 28th of last year which turned reverse path filtering off. However, we recently discovered that the attack also works against IPv6, so turning reverse path filtering on isn't a reasonable solution," said Tolley.

Noel Kuntze, an IT security consultant from Germany, reports that this type of attacks work regardless of if you have a VPN or not and aren't systemd specific. He also claims that they impact only route-based VPNs and not policy-based VPNs. Also, these attacks do not work against TOR-enabled connections and have a limited impact on most users.

"An attacker could only inject packets by attacking the connection whenever it is unprotected (e.g. on a commercial VPN provider setup that would be when the connection "comes" out of the VPN server and goes to the destination on the WAN). So you're usually fine," said Noel Kuntze.

A satisfactory workaround is yet to be discovered

The researcher claims to have tested the vulnerability against several popular GNU/Linux and BSD distributions, including Arch Linux 2019.05 (systemd), Debian 10.2 (systemd), Deepin (rc.d), Devuan (sysV init), Fedora (systemd), FreeBSD (rc.d), Manjaro 18.1.1 (systemd), MX Linux 19 (Mepis and antiX), OpenBSD (rc.d), Ubuntu 19.10 (systemd), Slackware 14.2 (rc.d), and Void Linux (runit), but many others could be affected as well.

Possible mitigations include turning reverse path filtering on by creating a file /etc/sysctl.d/51-rpfilter.conf with the content  "net.ipv4.conf.all.rp_filter=1", Bogon filtering, as well as encrypted packet size and timing, but each of them potential problems in different environments, so it advised to wait until the vulnerability is patched in your operating system of choice. Therefore, we're recommending users to keep their systems up to date at all times and install all available software updates.