Tricky VPN-busting bug lurks in iOS, Android, Linux distros, macOS, FreeBSD, OpenBSD, say university eggheads

A bug in the way Unix-flavored systems handle TCP connections could put VPN users at risk of having their encrypted traffic hijacked, it is claimed.

The University of New Mexico team of William Tolley, Beau Kujath, and Jedidiah Crandall this week said they've discovered CVE-2019-14899, a security weakness they report to be present in "most" Linux distros, along with Android, iOS, macOS, FreeBSD, and OpenBSD. The upshot is, if exploited, encrypted VPN traffic can be potentially hijacked and disrupted by miscreants on the network.

To pull off the attack, the US-based posse says, a hacker would need to be "network adjacent" to their target, or control an access point on the victim's local network. Once the victim connected to their VPN, the spy would be able to, for one thing, tamper with the TCP stream to do things like inject packets into the stream.

This could be potentially used, we imagine, to force malicious JavaScript into webpages being visited via the VPN, for example.

"We are able to determine the exact SEQ and ACK numbers by counting encrypted packets and/or examining their size," the team explains of the process. "This allows us to inject data into the TCP stream and hijack connections."

So far, the eggheads say they have found the bug to be exploitable in various ways on macOS, iOS, and Android as well as versions of Ubuntu, Fedora, Debian, Arch, and Manjaro, as well as Devuan, MX Linux 19, Void Linux, FreeBSD, and OpenBSD.

"Most of the Linux distributions we tested were vulnerable, especially Linux distributions that use a version of systemd pulled after November 28th of last year which turned reverse path filtering off," the crew explained. "However, we recently discovered that the attack also works against IPv6, so turning reverse path filtering on isn't a reasonable solution, but this was how we discovered that the attack worked on Linux."

Additionally, the researchers said, multiple VPN platforms could be exploited.

"This vulnerability works against OpenVPN, WireGuard, and IKEv2/IPSec, but has not been thoroughly tested against tor, but we believe it is not vulnerable since it operates in a SOCKS layer and includes authentication and encryption that happens in userspace," the New Mexico "Breakpointing Bad" team writes.

"It should be noted, however, that the VPN technology used does not seem to matter and we are able to make all of our inferences even though the responses from the victim are encrypted, using the size of the packets and number of packets sent (in the case of challenge ACKs, for example) to determine what kind of packets are being sent through the encrypted VPN tunnel."

The team says they have prepared a paper with a detailed description of the flaw and will publish it once a full workaround or patch for the security blunder is released. Given how tricky the bug would be to actually exploit in the wild, however, there is no need to panic just yet. ®