Systemd Opened Security Hole In Linux, VPNs Could Be Compromised, Hacker News

Attackers on the local network could discover that someone on the same network is using a VPN and they could, potentially, find out what sites are visited and even inject packets into a VPN users datastreams. This is all thanks to a change in systemd late 2018 which has now been adopted by all the major GNU / Linux distributions.

written by윤채경 (Yoon Chae- kyung).published************************************ – ––last edited – – **********

Thesystemddevelopers Lubomir Rintel and Lennart Poetteringdecided to change Linux’s default reverse path filtering from the Linux kernel’s defaultStrictmode toLoosewith asystemd commit on November (th,********************************. All the major GNU / Linux distributions who usesystemdhave adopted this change.

Security researches William J. Tolley, Beau Kujath and Jedidiah R. Crandall from the University of New Mexico discovered that this change could be used to discover if a user onthe local networkis using aroute basedVPN or not.They published their findings as CVE – (-) *************************************** (with details in a message to the) Open Source Security Mailing ListtitledCVE-: Inferring and hijacking VPN- tunneled TCP connections..

Their attack, which is rather theoretical beyond its first step, works on the latest versions of the major GNU / Linux distributions (Ubuntu, Fedora and Debian). Common VPN software such as OpenVPN and WireGuard is affected. An attacker on the local network could, in theory, find out if someone is using a VPN, find out what virtual IP their VPN has, check if the target is accessing a specific IP and it is, in theory, even possible to inject data into a VPNs TCP streams.

Torandpolicy-based VPN clientsare not affected.

It Is Not As Bad As It Sounds

************************** There is no need to panic if you are using a VPN. You can keep calm andGangnam Style.

The potential attack on VPS users running a GNU / Linux distributionwould have to be done from the local network. It is done by

sending SYN-ACK packets to the victim device across the entire virtual IP space (the default for OpenVPN is******************************************************** (. 8.0.0 / 16. When a SYN-ACK is sent to the correct virtual IP on the victim device , the device responds with a RST; when the SYN-ACK is sent to the incorrect virtual IP, nothing is received by the attacker.“

Inferring and hijacking VPN-tunneled TCP connections.
on the oss-sec mailing list November 4th,

This works; it is possible to see that someone else on the network has a private IP commonly used for VPN traffic if Linux’s rp_filter is set to 2 – which is now the systemddefault. This can easily be changed by creating a file called/ etc / sysctl.d / - rpfilter.conf

with the contents

net.ipv4.conf.all.rp_filter=1

Thenext stepin an attack becomes far more academic:

Similarly, to test if there is an active connection for any given website, such as************************************************ . (**********************************************************, for example, we send SYN or SYN-ACKs from 64. (**************************************************************. **************************************************** (on port) (or) to the virtual IP of the victim across the entire ephemeral port space of the victim.

Inferring and hijacking VPN-tunneled TCP connections.
on the oss-sec mailing list November 4th,

If youknowsomeone’s using a website because you have a camera pointed at their laptop (after all, this is an attack which requires you to be on the same local network) then it’s easy to check if there is an active connection to that website using this attack. You would, of course, alreadyknowthat they are using some website if you have a camera pointed at the victims screen. Blindly guessing IPs they could be connecting to is a different matter, the IP space is fairly large.

The security disclosure goes on to in-detail describe a way toarbitrarily inject data into the active TCP connection.while theoretically possible it’s a practical non-issue. First of all, you would have to know what website or other IP the victim is connecting to. Secondly, you it has to be donewhile the connection is open. That’s not a very huge window. Lastly, there is one minor problem practical problem with the approach laid out in the attack’s description:

************You can run tcpdump on the victim machine to accelerate the testingof his process by viewing the actual sequence and acknowledgment numbers.”

Inferring and hijacking VPN-tunneled TCP connections.
on the oss-sec mailing list November 4th,

Well …You probablycan’trun tcpdump on some random victim’s computer. Andyou would already have root access to itif youcan– in which case you don’t need to do some theoretical attack.

Tordifferes from VPN services. It uses SOCKS for its connections. It is therefore not affected.

GNU / Linux users who worry about this mostly theoretical attack can protect themselves by setting the reverse path filter to strict by creating / etc / sysctl.d / – rpfilter.conf with************** (net.ipv4.conf.all.rp_filter=1)

echo “net. ipv4.conf.all.rp_filter=1 “>/etc/sysctl.d / – rpfilter.conf

The new setting can be applied run-time withsysctl --system

Attacks like this one are interesting from a technical point of view and they can sound scary and dramatic . They become far less dramatic once you look at the possible practical real-world scenarios. The odds of this affecting anyone actually using a VPN in the real world are very slim. You can keep calm and
Gangnam Styleeven if you are using affected VPN software with the fp_filter set to “loose”.

************************************************************ (Read More
(**************************************