Attackers use Vulnerability -CVE-2019-14899 to hijack active VPN connections
University of New Mexico discovered a vulnerability name CVE-2019-14899 that allows hackers to listen, intercept and interfere with the operation of VPN connections. This network stacks vulnerability can be found on Ubuntu, Fedora, Debian, FreeBSD, OpenBSD, macOS, iOS Android, and other Unix-based OS. The main problem lies in the way these operating systems respond to unexpected network packages.
The vulnerability allows attackers to probe a device and identify various details about the status of the user’s VPN connection: “We have discovered a vulnerability in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android which allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream. This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel”, – write researchers William J. Tolley, Beau Kujath, Jedidiah R. Crandall from Breakpointing Bad & University of New Mexico.
An attacker can perform the attack on behalf of a malicious access point or router or can present the same network in order to:
- Determine the another user connected to the VPN
- Find the IP address assigned to the server
- Determine victims connected to a specific site
- Determine exact sequence of packets in certain VPN connections
- Inject into the TCP data stream
- Compromise the connection
As per experts, there are three ways for carrying out this attack – by determining VPN client’s virtual IP address, using the IP address to make inferences about active connections and using unsolicited packets’ replies that are encrypted to determine sequence and to know a number of active connection to hijack.
Following are the list of the operating systems whose vulnerability is successful exploited:
- Fedora (systemd),
- Debian 10.2 (systemd),
- Arch 2019.05 (systemd),
- Manjaro 18.1.1 (systemd),
- Devuan (sysV init),
- MX Linux 19 (Mepis + antiX),
- Void Linux (runit),
- Slackware 14.2 (rc.d),
- Deepin (rc.d),
- FreeBSD (rc.d),
- OpenBSD (rc.d),
Researchers’ report also claim that this problem can extend to Android, iOS and macOS:Ubuntu 19.10 (systemd)