VPN Vulnerability Allows Attackers to Eavesdrop and Hijack Connections

Researchers from the University of New Mexico have discovered a vulnerability affecting Ubuntu, Fedora, Debian, FreeBSD, OpenBSD, macOS, iOS, Android, and other Unix-based operating systems. This issue allows attackers to listen in on, intercept, and interfere with VPN connections.

The bug, identified as CVE-2019-14899, stems from the way the network stacks of several Unix-based operating systems respond to unexpected network packets. An attacker can exploit this vulnerability to probe a device and gather various details about the user’s VPN connection status.

Attacks can be carried out from a malicious access point or router, or by an attacker present on the same network. This allows them to determine if another user is connected to a VPN, discover the virtual IP address assigned by the server, and even find out if the victim is connected to a specific website. Even worse, the bug enables attackers to determine the exact sequence of packets in certain VPN connections, which can be used to inject data into the TCP stream and compromise the connection.

The researchers report that they successfully exploited the vulnerability on the following operating systems, and note that the issue also affects Android, iOS, and macOS:

• Ubuntu 19.10 (systemd)
• Fedora (systemd)
• Debian 10.2 (systemd)
• Arch 2019.05 (systemd)
• Manjaro 18.1.1 (systemd)
• Devuan (sysV init)
• MX Linux 19 (Mepis + antiX)
• Void Linux (runit)
• Slackware 14.2 (rc.d)
• Deepin (rc.d)
• FreeBSD (rc.d)
• OpenBSD (rc.d)

It is emphasized that the attack works against OpenVPN, WireGuard, and IKEv2/IPSec, among others, because the specific VPN technology used does not matter, nor does the use of IPv4 or IPv6.