Saturday, October 12, 2024
Homecyber securityCritical Linux Vulnerability Let Hackers Hijack VPN-Tunneled TCP Connections

Critical Linux Vulnerability Let Hackers Hijack VPN-Tunneled TCP Connections

Published on

Malware protection

Researchers from the University of New Mexico uncovered a critical Linux vulnerability that affects most of the Linux distros, allows attack Inferring and hijacking VPN-tunneled TCP connections.

The vulnerability also allowed to inject the data into the TCP stream and hijack connections through determining the exact seq and ack numbers by counting encrypted packets and analyse the size.

The severe Linux vulnerability can be tracked as CVE-2019-14899 and affects the other services such as Systemd, Google, Apple, OpenVPN, and WireGuard.

- Advertisement - SIEM as a Service

All Linux Distro’s are Vulnerable

Researchers tested most of the following Linux distributions and found that all are vulnerable including Linux distros that use a version of systemd pulled after November 28th, 2018.

  • Ubuntu 19.10 (systemd)
  • Fedora (systemd)
  • Debian 10.2 (systemd)
  • Arch 2019.05 (systemd)
  • Manjaro 18.1.1 (systemd)
  • Devuan (sysV init)
  • MX Linux 19 (Mepis+antiX)
  • Void Linux (runit)
  • Slackware 14.2 (rc.d)
  • Deepin (rc.d)
  • FreeBSD (rc.d)
  • OpenBSD (rc.d)

The discovered vulnerability has been confirmed its existence in Linux, FreeBSD, OpenBSD, macOS, iOS, and it allows the malicious access point to determine whether the connected user is using a VPN, websites that they are visiting and also allowed attackers to inject data into the TCP stream.

Researchers also confirmed that the vulnerability also works against OpenVPN, WireGuard, and IKEv2/IPSec. But not work against TOR since it operates in a SOCKS layer and includes authentication and encryption that happens in userspace.

Researchers clarifies that “It should be noted, however, that the VPN technology used does not seem to matter and we are able to make all of our inferences even though the responses from the victim are encrypted, using the size of the packets and number of packets sent (in the case of challenge ACKs, for example) to determine what kind of packets are being sent through the encrypted VPN tunnel.”

The Attack Setup & Component

There are 3 steps and 4 components need to reproduce this attack.

3 Steps:

  1. To determine the VPN client’s virtual IP address
  2. Using the virtual IP address to make inferences about active connections
  3. Using the encrypted replies to unsolicited packets to determine the sequence and acknowledgment numbers of the active connection to hijack the TCP sessions

4 Components :

  1. The Victim Device (connected to AP, 192.168.12.x, 10.8.0.8)
  2. AP (controlled by the attacker, 192.168.12.1)
  3. VPN Server (not controlled by the attacker, 10.8.0.1)
  4. A Web Server (not controlled by the attacker, public IP in a real-
    world scenario)

This attack does not work against any Linux distribution until the release of Ubuntu 19.10 and the Amazon AWS employee confirmed that Amazon Linux and our VPN products; aren’t impacted by this issue.

Possible VPN-Tunneled TCP connections attack mitigation suggested by researchers:

1. Turning reverse path filtering on
2. Bogon filtering
3. Encrypted packet size and timing

You can read the complete analysis of this vulnerability report here.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates

Also Read

Critical Wi-Fi Bug In Linux Let Hackers Take Complete Control and Crash The System Remotely

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...