New VPN Port Shadow Vulnerabilities Expose Encrypted Traffic to Attackers

The impact of connection tracking frameworks on the security and privacy of VPN applications is discussed in a novel exploit primitive called port shadow, which leverages shared resources within connection tracking frameworks to manipulate the process isolation of clients connected to the same VPN server. 

Using port shadow to develop four attacks against VPNs, including intercepting encrypted traffic, redirecting traffic, de-anonymizing users, and port scanning. 

The evaluation results show that the attacks are successful across all tested VPN protocols (OpenVPN, OpenConnect, and WireGuard) using a range of connection tracking frameworks. 

Virtual Private Networks (VPNs) and their role in protecting user privacy, by using IP obfuscation and encryption to hide user’s IP addresses and data content. 

To achieve this, VPNs rely on address translation provided by the host system’s connection tracking framework and focus on Layer 3 VPNs such as OpenVPN and WireGuard, which are commonly used for anonymizing user traffic and bypassing geo-blocking.

By exploiting vulnerabilities in the connection tracking framework, attackers can potentially alter the routing behavior of the VPN and compromise user privacy. 

 Source port collision and resolution process for two
client’s connecting to the same Web Server through the same
VPN.

A new attack leverages connection tracking tables (T) to compromise Virtual Private Networks (VPNs), which exploits the fact that shared resources like VPN public IP, port space, and T can lead to port and IP collisions between VPN clients. 

The attacker can insert entries into T to reroute a target client’s packets and achieve an in-path position between the client and the VPN server, which enables the attacker to deanonymize the client, inject packets, and even perform attacks like port scanning. 

The attack works because clients using a layer 3 VPN first encrypt their traffic and then send it to the VPN server, which decrypts the traffic, removes the VPN encapsulation, and forwards it to the destination server. 

It can exploit the weakness in routing rules to replace the destination server’s IP address with the VPN server’s IP address and remove the VPN tunnel encryption. 

Decapsulation used to redirect B to a forged webpage
served by A through N.

The authors built a formal model to explore the root cause of vulnerabilities in connection tracking frameworks by using non-interference property to test process isolation, while the model tracks connections between hosts and their private IPs. 

By analyzing the model, it has been identified that several attacks violate non-interference, including Address Translation Identity Prediction (ATIP), connection inference, port-forwarding overwrite, eviction reroute, and port scanning attacks. 

Then proposed mitigations for these attacks, such as selecting new source port, limiting connections per host, removing entries after disconnection, and forcing packets to be encapsulated first. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here