A new severe vulnerability was revealed by a team of cybersecurity researchers that affects most Linux and Unix-like operating systems, including FreeBSD, OpenBSD, macOS, iOS, and Android which could let remote ‘network adjacent attackers’ to spy on and interfere with encrypted VPN connections.
The vulnerability, which has been dubbed as CVE-2019-14899, resides in the networking stack of various operating systems and can be exploited against both IPv4 and IPv6 TCP streams.
As the vulnerability does not depend on the VPN technology, the attack works against widely implemented virtual private network protocols like OpenVPN, WireGuard, IKEv2/IPSec, and more, the researchers confirmed.
This vulnerability can be exploited by a network attacker controlling an access point or connected to the victim’s network by simply sending unsolicited network packets to a targeted device and observing replies, even if they are encrypted.
According to the researchers, even though there are variations for each of the impacted operating systems, the vulnerability lets attackers to determine
- the virtual IP address of a victim assigned by the VPN server,
- if there is an active connection to a given website,
- the exact seq and ack numbers by counting encrypted packets and/or examining their size, and
- to inject data into the TCP stream and hijack connections.
The access point can determine the virtual IP of the victim by sending SYN-ACK packets to the targeted device across the entire virtual IP space. When a SYN-ACK is sent to the correct virtual IP on the victim device, the device responds with a RST; when the SYN-ACK is sent to the incorrect virtual IP, nothing is received by the attacker.
Researchers stated that the attack does not work against macOS/iOS devices.
Instead, an attacker had to use an open port on the Apple machine to determine the virtual IP address. While testing the researchers used port 5223, which is used for iCloud, iMessage, FaceTime, Game Center, Photo Stream, and push notifications, etc.
The researchers tested and successfully exploited the vulnerability against the below mentioned operating systems and the init systems. It is believed that this list might increase as researchers test the flaw on more systems.
- Ubuntu 19.10 (systemd)
- Fedora (systemd)
- Debian 10.2 (systemd)
- Arch 2019.05 (systemd)
- Manjaro 18.1.1 (systemd)
- Devuan (sysV init)
- MX Linux 19 (Mepis+antiX)
- Void Linux (runit)
- Slackware 14.2 (rc.d)
- Deepin (rc.d)
- FreeBSD (rc.d)
- OpenBSD (rc.d)
Most of the Linux distributions tested were vulnerable, especially Linux distributions that use a version of systemd pulled after November 28th of last year, which turned reverse path filtering off.
It was also found that the attack also works against IPv6, so turning reverse path filtering on is not a reasonable solution.
As a mitigation, it is suggested to turn on reverse path filtering, implement bogon filtering, and encrypt packet size and timing to prevent attackers from making any inference.
The technical details of the vulnerability was not disclosed and the researchers are planning to publish an in-depth analysis of this flaw and its related implications, after affected vendors, including Systemd, Google, Apple, OpenVPN, WireGuard, and different Linux distros issue satisfactory workarounds and patches.