Image: Mohammad Rahmani (unsplash)
Numerous vulnerabilities present in a majority of VPN products are exploitable, enabling attackers to access user traffic, pilfer user data, or even target user devices, according to research findings.
Researchers from New York University, New York University Abu Dhabi, and KU Leuven University have emphasized that their exploitation methods aren’t resource-intensive. Thus, anyone possessing the right network permissions can execute these attacks, regardless of the VPN protocol in use. They also highlighted that even when a victim uses additional encryption layers like HTTPS, these attacks can determine the websites the user browses, posing a significant privacy threat.
The VPN Flaws and Potential Exploits The identified vulnerabilities have been categorized under four unique CVE identifiers: CVE-2023-36672, CVE-2023-35838, CVE-2023-36673, and CVE-2023-36671. Considering the vast number of susceptible platforms, these labels represent each vulnerability without considering the affected solution or codebase.
The initial two vulnerabilities can be manipulated through a LocalNet assault, occurring when a user links to a Wi-Fi or Ethernet network under an attacker’s control. Conversely, the subsequent two vulnerabilities can be exploited via a ServerIP maneuver, executed either by those controlling a dubious Wi-Fi/Ethernet connection or malicious internet service providers.
According to the researchers, both techniques deceive the user’s routing system, making the user transmit data outside the safeguarded VPN tunnel. This vulnerability allows potential adversaries to access and intercept such traffic.
A visual demonstration highlighting three of these attacks is accessible. Furthermore, the researchers have made available scripts that can evaluate a VPN client’s vulnerability status.
They also mentioned their intention to unveil the attack script to the public once a significant number of devices receive patches, contingent on the situation’s requirements and benefits.
At-Risk Applications and Remedial Recommendations Upon scrutinizing various consumer and corporate VPN tools, it was ascertained that a vast majority of VPNs for Apple, Windows, and Linux devices are prone to either or both types of attacks. However, on the Android platform, only approximately 25% of VPN apps are at risk, likely due to a meticulously crafted API.
Native VPN clients on platforms like Windows, macOS, and iOS exhibit vulnerabilities, including a few on Linux.
While the researchers are currently unaware of real-world exploitations of these vulnerabilities, they concede that detecting such incidents would be challenging.
Numerous VPN providers were informed of these detected vulnerabilities. Some vendors have already addressed the issues discreetly, in line with the researchers’ plea to maintain confidentiality until their study was divulged.
The researchers have compiled a comprehensive list of evaluated VPN apps across diverse devices. Users are encouraged to verify their VPN’s status and, if found vulnerable, to check for updates or fixes. If such details aren’t publicly disclosed, reaching out to the provider’s technical support is recommended.
The researchers also mentioned a few VPNs that have received patches, including Mozilla VPN, Surfshark, Malwarebytes, Windscribe, and Cloudflare’s WARP.
Cisco has verified the vulnerability of its Cisco Secure Client and AnyConnect Secure Mobility Client for Linux, macOS, and Windows to CVE-2023-36672, but only under a specific configuration. Meanwhile, Mullvad has acknowledged that only its iOS application is vulnerable to the LocalNet assault.
In cases where VPN updates are unavailable, users can counter the LocalNet threat by turning off local network access. Additionally, ensuring websites utilize HTTPS, a feature supported by numerous modern websites, can also act as a mitigation strategy, the research team suggests.