New Linux vulnerability puts VPN connections at risk of hijacking

Researchers believe that vulnerability can specifically affect VPN users by hijacking encrypted traffic. Here’s how it happens…
New Linux vulnerability lets attackers to hijack VPN connections

Three researchers from the University of New Mexico and Breakpointing Bad have identified vulnerability in the way Unix and Linux-based operating systems like the macOS handle the TCIP connections. Researchers believe that vulnerability can specifically affect VPN users by hijacking encrypted traffic.

See: Israeli firm buys Private Internet Access (PIA) VPN raising privacy concerns

The research team comprising of William Tolley, Beau Kujath, and Jedidiah Crandall have classified the vulnerability as CVE-2019-14899. They state it to be a security weakness present in a majority of Linux distros, and other operating systems like iOS, Android, FreeBSD, macOS, and OpenBSD.

They shared their findings with distros and Linux kernel security teams along with other firms that are directly affected including Apple, Google, Systemd, OpenVPN, and WireGuard. The list of affected systems is available below:

  • • MX Linux 19 (Mepis+antiX)
  • • FreeBSD (rc.d)
  • • Slackware 14.2 (rc.d)
  • • Ubuntu 19.10 (systemd)
  • • Fedora (systemd)
  • • Debian 10.2 (systemd)
  • • Devuan (sysV init)
  • • OpenBSD (rc.d)
  • • Arch 2019.05 (systemd)
  • • Manjaro 18.1.1 (systemd)
  • • Deepin (rc.d)
  • • Void Linux (runit)

The vulnerability is found in the systems’ routing table code and TCP code. Through this flaw, an attacker can analyze traffic by strategically using the encrypted DNS queries with error messages to obtain exclusive information about open TCP connection. That is, an attacker can assess when a user is connected to a VPN, obtain their IP address that is provided by the VPN server and identify if a user is visiting a certain website or not.

Most of the Linux distributions we tested were vulnerable, especially Linux distributions that use a version of systemd pulled after November 28th of last year which turned reverse path filtering off. However, we recently discovered that the attack also works against IPv6, so turning reverse path filtering on isn’t a reasonable solution, but this was how we discovered that the attack worked on Linux.

Furthermore, the research team also identified the SEQ and ACK numbers from inspecting the encrypted packet size and number and managed to inject data into the TCP stream, which led to the hijacking of the connection. This means VPN technology was ineffective in preventing the attack since even encrypted packets could be assessed.

After testing on Manjaro 18.1.1, CentOS, and Ubuntu 19, researchers discovered that the exploit was applicable to both IPv4 and IPv6. Other systems that are vulnerable to exploitation include Void Linux, Debian 10.2, Slackware 14.2, Arch 2019.5, MX Linux 19, Deepin, Fedora, Devuan, FreeBSD, and OpenBSD. They will be testing the effectiveness of the exploit against Tor as well.

Though the chances of wide-scale exploitation of this flaw are slim since the attacker would need to be adjacent to the network or gain control of the target computer’s access point.

The good news is that this vulnerability was identified some time back and the researchers have chosen to disclose it now as the vendors have already fixed the issue. However, researchers recommend that those who use a VPN should be careful.

To mitigate the threat, VPN users must turn on reverse path filtering and strict mode, use padding to encrypt packet size, and to hide their IP address they should enable bogon filtering.


OpenVPN has responded to HackRead’s article in a Tweet stating that,

“An initial investigation by our security experts, and experts across the globe, reveals that this issue affects all network interfaces, not VPN in particular.”

You can read more on OpenVPN’s blog post.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Related Posts