New Linux Bug Lets Attackers Hijack Encrypted VPN Connections

New Linux Bug Lets Attackers Hijack Encrypted VPN Connections

December 6, 2019



A team of cybersecurity researchers has disclosed a new severe vulnerability affecting most Linux and Unix-like operating systems, including FreeBSD, OpenBSD, macOS, iOS, and Android, that could allow remote 'network adjacent attackers' to spy on and tamper with encrypted VPN connections.



The vulnerability, tracked as CVE-2019-14899, resides in the networking stack of various operating systems and can be exploited against both IPv4 and IPv6 TCP streams.



Since the vulnerability does not rely on the VPN technology used, the attack works against widely implemented virtual private network protocols like OpenVPN, WireGuard, IKEv2/IPSec, and more, the researchers confirmed.

(adsbygoogle = window.adsbygoogle || []).push({});

This vulnerability can be exploited by a network attacker — controlling an access point or connected to the victim's network — just by sending unsolicited network packets to a targeted device and observing replies, even if they are encrypted.



As explained by the researchers, though there are variations for each of the impacted operating systems, the vulnerability allows attackers to:

determine the virtual IP address of a victim assigned by the VPN server,

determine if there is an active connection to a given website,

determine the exact seq and ack numbers by counting encrypted packets and/or examining their size, and

inject data into the TCP stream and hijack connections.



"The access point can then determine the virtual IP of the victim by sending SYN-ACK packets to the victim device across the entire virtual IP space," the team said in its advisory.

"When a SYN-ACK is sent to the correct virtual IP on the victim device, the device responds with a RST; when the SYN-ACK is sent to the incorrect virtual IP, nothing is received by the attacker."



While explaining variations in the behavior of different operating systems, as an example, researchers said the attack does not work against macOS/iOS devices as described.



Instead, an attacker needs to "use an open port on the Apple machine to determine the virtual IP address." In their testing, the researchers use "port 5223, which is used for iCloud, iMessage, FaceTime, Game Center, Photo Stream, and push notifications, etc."



The researchers tested and successfully exploited the vulnerability against the following operating systems and the init systems, but they believe this list could go long as researchers test the flaw on more systems.

Ubuntu 19.10 (systemd)

Fedora (systemd)

Debian 10.2 (systemd)

Arch 2019.05 (systemd)

Manjaro 18.1.1 (systemd)

Devuan (sysV init)

MX Linux 19 (Mepis+antiX)

...

Read more on thehackernews.com

Our customers and partners trust and hire our IT Team to fulfill their technology needs:

What we do

We stick by your side from day one. And we won't leave.

We design the system architecture and system engineer from scratch working directly with companies to achieve the final goal, to assure everything works perfectly and fulfill your needs at the end.

Programming Languages:

Systems:

    Android

    AndroidTV

    Arduino

    iOS

    Linux

    OS X

    Tizen

    webOS

Other Technologies & Frameworks:

    AWS

    Cordova

    Docker

    Kubernetes

    OpenCV

    Tensor Flow

Contact US

Do you need to hire an IT
Team for your project?

Our team makes your IT project happen.