Tuesday, April 13, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

New vulnerability lets attackers sniff or hijack VPN connections

December 6, 2019
in Internet Security
New vulnerability lets attackers sniff or hijack VPN connections
585
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Image: kalhh

Academics have disclosed this week a security flaw impacting Linux, Android, macOS, and other Unix-based operating systems that allows an attacker to sniff, hijack, and tamper with VPN-tunneled connections.

The vulnerability — tracked as CVE-2019-14899 — resides in the networking stacks of multiple Unix-based operating systems, and more specifically, in how the operating systems reply to unexpected network packet probes.

You might also like

Criminals spread malware using website contact forms with Google URLs

Critical security alert: If you haven’t patched this old VPN vulnerability, assume your network is compromised

Billions of smartphone owners will soon be authorising payments using facial recognition

According to the research team, attackers can use this vulnerability to probe devices and discover various details about the user’s VPN connection status.

Attacks can be carried out from a malicious access point or router, or by an attacker present on the same network “to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website.”

Furthermore, the research team also claims they were also able to determine the exact packet sequence in certain VPN connections.

“This allows us to inject data into the TCP stream and hijack connections,” said William J. Tolley, one of the three members of the Breakpointing Bad research team at the University of New Mexico.

Multiple operating systems impacted

The team said they tested and successfully exploited the vulnerability on the following operating systems:

Ubuntu 19.10 (systemd)
Fedora (systemd)
Debian 10.2 (systemd)
Arch 2019.05 (systemd)
Manjaro 18.1.1 (systemd)
Devuan (sysV init)
MX Linux 19 (Mepis+antiX)
Void Linux (runit)
Slackware 14.2 (rc.d)
Deepin (rc.d)
FreeBSD (rc.d)
OpenBSD (rc.d)

Other Unix-based operating systems like Android and macOS are also impacted.

The research team said their attack worked against VPN technologies like OpenVPN, WireGuard, and IKEv2/IPSec, and possibly others, as “the VPN technology used does not seem to matter.”

A “very impressive” attack

In response to the public disclosure, Jason A. Donenfeld, the creator of the WireGuard open-source VPN, said the “this isn’t a WireGuard vulnerability, but rather something in the routing table code and/or TCP code on affected operating systems.”

“It appears to affect basically most common Unix network stacks,” Donenfeld added.

Donenfeld described CVE-2019-12899 as a “nice vuln[erability]” while Colm MacCárthaigh, an Amazon Web Services engineer and member of the Apache HTTPd development team, described the attack as “very impressive.”

According to the research team, the attack relies on sending unsolicited network packets to a victim’s device (Linux router, Android phone, macOS desktop, etc.) and observing how the targeted device replies.

The cleverness of the attack resides in how the research team crafted these packets, and the way in which they used the replies to infer what the user was doing inside their VPN tunnel.

The research team’s public disclosure contains more technical details, along with possible mitigations that server owners can apply. The attack is not trivial to execute so this would exclude scenarios of mass-exploitation until patches will be available. However, the vulnerability is ideal for targeted attacks, if the attacker has the expertise to carry it out.

Credit: Zdnet

Previous Post

Reinforcement Learning to Reduce Building Energy Consumption

Next Post

2020 CMO Predictions by Marketing Influencers

Related Posts

Criminals spread malware using website contact forms with Google URLs
Internet Security

Criminals spread malware using website contact forms with Google URLs

April 13, 2021
Bug bounties: More hackers are spotting vulnerabilities across web, mobile and IoT
Internet Security

Critical security alert: If you haven’t patched this old VPN vulnerability, assume your network is compromised

April 13, 2021
Billions of smartphone owners will soon be authorising payments using facial recognition
Internet Security

Billions of smartphone owners will soon be authorising payments using facial recognition

April 13, 2021
PayPal rolls out new fraud management tools for merchants
Internet Security

PayPal rolls out new fraud management tools for merchants

April 12, 2021
Ransomware: The internet’s biggest security crisis is getting worse. We need a way out
Internet Security

Ransomware: The internet’s biggest security crisis is getting worse. We need a way out

April 12, 2021
Next Post
2020 CMO Predictions by Marketing Influencers

2020 CMO Predictions by Marketing Influencers

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

How to Change the WordPress Admin Login Logo
Learn to Code

Intl.NumberFormat

April 13, 2021
Criminals spread malware using website contact forms with Google URLs
Internet Security

Criminals spread malware using website contact forms with Google URLs

April 13, 2021
Trends in custom software development in 2021
Data Science

Trends in custom software development in 2021

April 13, 2021
A.I. For Raspberry Pi Pico: Uctronics TinyML Learning Kit Review
Machine Learning

A.I. For Raspberry Pi Pico: Uctronics TinyML Learning Kit Review

April 13, 2021
BERT Transformers — How Do They Work? | by James Montantes | Apr, 2021
Neural Networks

BERT Transformers — How Do They Work? | by James Montantes | Apr, 2021

April 13, 2021
Bug bounties: More hackers are spotting vulnerabilities across web, mobile and IoT
Internet Security

Critical security alert: If you haven’t patched this old VPN vulnerability, assume your network is compromised

April 13, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Intl.NumberFormat April 13, 2021
  • Criminals spread malware using website contact forms with Google URLs April 13, 2021
  • Trends in custom software development in 2021 April 13, 2021
  • A.I. For Raspberry Pi Pico: Uctronics TinyML Learning Kit Review April 13, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates