Vulnerability in Linux distros, Android and iOS allows VPN hijacking

Researchers have found a vulnerability in Linux and Unix-based operating systems that makes it possible to hijack VPN connections and inject arbitrary code into data traffic.

The vulnerability is labeled CVE-2019-14899. According to Breakpointing Bad security researchers, the leak makes it possible to determine that a user has an active VPN connection, and which virtual IP address they have been assigned by the VPN provider. Then attackers can determine the sequence and acknowledge numbers by counting the encrypted packets and inferring their size. They can then hijack the TCP session in the VPN tunnel and inject random payloads into encrypted connections via the leak, the researchers describe.

According to them, the method works on Linux, FreeBSD, OpenBSD, macOS, iOS and Android. In any case, Linux distros with systemd versions after November 28, 2018 are vulnerable. This version has the Reverse Path filtering mode set from Strict to Loose. However, the vulnerability is not limited to these versions. The researchers tested the issue with Ubuntu 19.10, Fedora, Debian 10.2, Arch 2019.05, Manjaro 18.1.1, Devuan, MX Linux 19, Void Linux, Slackware 14.2, Deepin, FreeBSD, and OpenBSD. As far as VPNs are concerned, they have tested OpenVPN, WireGuard and IKEv2/IPSec, but according to the experts, the VPN technology used does not account for the vulnerability.

The problem can be solved by enabling Reverse Path filtering, activating Bogon filtering, or making the encrypted packets of the same size. The researchers promise to release more details as soon as there are better workarounds.