Hackers Can Hijack VPN Connections Using A New Linux Vulnerability

Linux is one of the most-used open-source operating systems. On 4 Dec 2019, A team of cyber researchers found vulnerability on Linux distros and other Unix operating systems, such as OpenBSD, FreeBSD, iOS, macOS, and Android. 

The team of researchers tracked this vulnerability as CVE-2019-14899, which allows a network adjacent hacker to get information about the users without their permission.

The user has to be connected to a VPN (Virtual Private Network). After following this condition the hacker will be able to access the information of the virtual IP address assigned by the VPN server, also the activity status of a given website’s connection. 

Researchers told that hackers can know about the exact ack and seq numbers by counting encrypted packets or examining their size. With this accessibility, hackers will be able to inject data into the TCP stream and hijack the connection.

The attack came into existence after the release of Ubuntu 19.10, when the rp-filter settings of sysctl.d/50-default.conf in the systemd repository have been changed from “strict” to “loose” mode.  This change happened on November 28, 2018. After this date, all the systems with these settings are vulnerable now.

After 28 November, Reverse path filtering also got off by default. Despite this recently discovered that this attack also works against IPv6 and turning reverse path filtering on isn’t worth anymore.

This attack was tested with WireGuard, OpenVPN, and IKEv2/IPSec VPNs. Although, the team said that they did not test this vulnerability with TOR but they believe it is invulnerable because it operates in the SOCKS layer and includes authentication and encryption happens in userspace.

The team of researchers explained this attack in 3 steps:

  1. First by knowing the VPN’s client virtual IP address.
  2. Attackers will make inferences about active connections by using the virtual IP address.
  3. After getting the encrypted replies to unsolicited packets to determine the sequence and numbers of active connections to Hijack the TCP session.

Here’s the list of the vulnerable operating system that the team has already tested and found vulnerable:-

  1. Ubuntu 19.10 (systemd)
  2. Fedora (systemd)
  3. Debian 10.2 (systemd)
  4. Arch 2019.05 (systemd)
  5. Manjaro 18.1.1 (systemd)
  6. Devuan (sysV init)
  7. MX Linux 19 (Mepis+antiX)
  8. Void Linux (runit)
  9. Slackware 14.2 (rc.d) 
  10. Deepin (rc.d)
  11. FreeBSD (rc.d) 
  12. OpenBSD (rc.d)

The behavior of all operating systems is different against this vulnerability, but most operating systems are vulnerable to this attack except for macOS/iOS devices. 

They told us, to get the accessibility of macOS/iOS, a hacker has to use an open post to get information about the virtual IP address. The researchers used “port 5223, which is used for iCloud, iMessage, FaceTime, Game Center, Photo Stream, and services like push notifications.

Despite the above list, the researchers told us that they’re going to run this vulnerability test on more operating systems. So, in the future, more operating systems could be added to this vulnerability list.

The researchers are planning to publish a record of all the details of this vulnerability and all its implications. They also mentioned that they will report the vulnerability to oss-security () lists openwall com.

They are also reporting this vulnerability to the other affected services like Systemd, Google, Apple, OpenVPN, and WireGuard and more.


Please enter your comment!
Please enter your name here