New Linux Vulnerability Lets Attackers Hijack VPN Connections
upstart writes:
Submitted via IRC for carny
New Linux Vulnerability Lets Attackers Hijack VPN Connections
Security researchers found a new vulnerability allowing potential attackers to hijack VPN connections on affected *NIX devices and inject arbitrary data payloads into IPv4 and IPv6 TCP streams.
They disclosed the security flaw tracked as CVE-2019-14899 to distros and the Linux kernel security team, as well as to others impacted such as Systemd, Google, Apple, OpenVPN, and WireGuard.
The vulnerability is known to impact most Linux distributions and Unix-like operating systems including FreeBSD, OpenBSD, macOS, iOS, and Android.
[...] This security flaw "allows a network adjacent attacker to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website," according to William J. Tolley, Beau Kujath, and Jedidiah R. Crandall, Breakpointing Bad researchers at University of New Mexico.
"Additionally, we are able to determine the exact seq and ack numbers by counting encrypted packets and/or examining their size. This allows us to inject data into the TCP stream and hijack connections," the researchers said.
Attacks exploiting CVE-2019-14899 work against OpenVPN, WireGuard, and IKEv2/IPSec, but the researchers are still testing their feasibility against Tor.
They also note that the VPN technology used does not seem to be of importance since the attacks worked during their tests even when the responses they got from targets were encrypted, given that the size of the packets and the number of packets sent was enough to find the type of data packets that were being delivered through the encrypted VPN tunnel.
[...] The full procedure to reproduce the vulnerability on Linux distros is explained in detail within the disclosure report publicly available here.
The research team is planning to publish a paper with an in-depth analysis of this vulnerability and its implications but only after finding an adequate workaround.
Also at The Register
Read more of this story at SoylentNews.