New VPN Port Shadow Vulnerability Let Hackers Intercept Encrypted Traffic

Researchers examined how connection tracking, a fundamental function in operating systems, can be  exploited to compromise VPN security and identified a new attack method named “port shadow” that allows attackers to intercept encrypted traffic, reveal user identities, or scan devices hidden behind a VPN server

The vulnerability stems from limitations in connection tracking and resource sharing. They built a model and verified six potential mitigations that focus on enforcing stricter process isolation. 

It examines how attackers on the same VPN server can interfere with other users’ connections by  exploiting a flaw in connection tracking frameworks. 

Source port collision and resolution process for two
client’s connecting to the same Web Server through the same
VPN.

The attacker can achieve this by sending packets with a spoofed source IP address that collides with another client’s connection, causing the VPN server to misroute packets.

The authors propose a formal model to analyze the attacks and design mitigations by using the non-interference property to ensure process isolation between clients.  

An Adjacent-to-in-Path (ATIP) attack  exploits VPN connection tracking mechanisms to redirect a target’s VPN connection request to the attacker. The attacker does this by sending packets with spoofed source and destination ports that collide with legitimate connections in the VPN server’s connection tracking table. 

This collision tricks the VPN server into routing the target’s packets to the attacker instead of the VPN endpoint and then leverages this position to perform further attacks, such as DNS injection and web traffic redirection.

Adjacent-to-in-path attack.

Three vulnerabilities in Layer 3 VPNs leverage connection tracking mechanisms to bypass VPN encryption.

The first vulnerability, the ATIP attack,  exploits IP and port collisions in the connection tracking table to redirect a client’s DNS request to the attacker. 

The attacker can then inject a DNS response to route the client’s traffic outside of the VPN tunnel.

The second vulnerability, the eviction ports reroute attack,  exploits the mutability of connection tracking entries to reroute incoming packets to the attacker after the client disconnects from the VPN server. the ATIP

The third vulnerability abuses the shared private IP space and the way packets are routed across the VPN to scan the ports of machines behind the VPN server. 

Eviction reroute attack

The research paper investigates the connection tracking frameworks used in VPNs and exposes several vulnerabilities.

The authors  exploit these vulnerabilities to launch denial-of-service (DoS) attacks and inject malicious content into the target machine’s traffic. 

They achieve this by manipulating the ephemeral port space and leveraging the way the connection tracking frameworks handle packet routing. 

It also explores how an attacker can learn the target’s public IP address and the VPN server’s IP address, making these attacks more realistic, which suggests that a well-resourced attacker can potentially compromise a user’s VPN connection.

Leave a Comment

Your email address will not be published. Required fields are marked *

*
*