Three researchers from Breakpointing Bad and the University of New Mexico have discovered a vulnerability that exists in Linux and Unix-like operating systems like Android and macOS. Given the tracking code “CVE-2019-14899”, the flaw resides in the routing table code and the TCP code that is present in these systems. The vulnerability allows an attacker to perform traffic analysis via clever use of encrypted DNS queries in conjunction with error messages, leading to the sniffing of open TCP connection information. The attack was discovered quite a while back, but the researchers disclosed it publicly now, and after they allowed the vendors some time to plug the holes.
As the researchers detail, the flaw enables a network adjacent attacker to tell when another user is connected to a VPN, get the IP address that was assigned to them by the VPN server, and figure out if they are visiting a specific website or not. The team also managed to determine the SEQ and ACK numbers after analyzing the encrypted packet number and sizes and were able to inject data into the TCP stream which essentially leads to connection hijacking. The tests were done on CentOS, Manjaro 18.1.1, and Ubuntu 19.10, finding that the exploit works on both IPv4 and IPv6. Besides these systems, the following are also confirmed to be vulnerable: Fedora, Debian 10.2, Arch 2019.5, Devuan, MX Linux 19, Void Linux, Slackware 14.2, Deepin, FreeBSD, and OpenBSD. As the team points out, the same behavior with slight differences is also present on Android and macOS. As for the VPN products tested, these were OpenVPN, WireGuard, and IKEv2/IPSec, but the problem is there no matter what VPN product is used.
The attack and the crafting of the special packages that are required in order to enable the infiltrator to look inside the VPN tunnel of others are very clever, with some researchers calling the method impressive. That said, the chances of this exploding into massive-scale exploitation are pretty slim right now. Still, those who deploy VPN connections in highly critical environments should make sure to apply the following proposed mitigations: a.) turn reverse path filtering to “on” and in strict mode, b.) activate bogon filtering to hide IP address, c.) encrypt packet size and timing via padding or other means. It is important to point out however that these mitigations aren’t absolutely effective against the full range of the CVE-2019-14899 exploitation potential, but they are still valuable measures.
OpenVPN Access Server Product Manager, Johan Draaisma, has provided the following statement: "It doesn't appear to be a flaw in the OpenVPN software, but a flaw in the configuration of the operating system itself. The issue is more in how the operating system deals with this type of attack in general, rather than anything going wrong in the VPN connection itself."
Do you have anything to comment on the above? Share your thoughts with us in the section down below, or on our socials, on Facebook and Twitter.