The flaw allows remote ‘network adjacent attackers’ to hijack and tamper with VPN (Virtual Private Network) connections, and inject malicious data into the TCP (Transmission Control Protocol) stream. “I am reporting a vulnerability that exists on most Linux distros, and other *nix operating systems which allows a network adjacent attacker to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website. Additionally, we are able to determine the exact seq and ack numbers by counting encrypted packets and/or examining their size. This allows us to inject data into the TCP stream and hijack connections,” reads the advisory published by the Breakpointing Bad researchers at the University of New Mexico. The vulnerability, dubbed as CVE-2019-14899, is exploitable against both IPv4 and IPv6 TCP streams. The attack has been reported to work against several popular VPN solutions, including OpenVPN, IKEv2/IPSec, and WireGuard. However, the researchers are still testing their viability against Tor, as it works in a SOCKS layer and implements authentication and encryption that takes place in userspace. “It should be noted, however, that the VPN technology used does not seem to matter and we are able to make all of our inferences even though the responses from the victim are encrypted, using the size of the packets and number of packets sent (in the case of challenge ACKs, for example) to determine what kind of packets are being sent through the encrypted VPN tunnel,” clarifies the research team. Below is an incomplete list of vulnerable operating systems and the init systems that were successfully tested and exploited by the researchers. They believe the below list could keep extending as long as they test the flaw on more systems. •Ubuntu 19.10 (systemd) •Fedora (systemd) • Debian 10.2 (systemd) • Arch 2019.05 (systemd) • Manjaro 18.1.1 (systemd) • Devuan (sysV init) • MX Linux 19 (Mepis+antiX) • Void Linux (runit) • Slackware 14.2 (rc.d) • Deepin (rc.d) • FreeBSD (rc.d) • OpenBSD (rc.d) “Most of the Linux distributions we tested were vulnerable, especially Linux distributions that use a version of systemd pulled after November 28th of last year which turned reverse path filtering off. However, we recently discovered that the attack also works against IPv6, so turning reverse path filtering on isn’t a reasonable solution,” said the research team. Possible mitigations include turning on reverse path filtering, using bogon filtering —filtering bogus (fake) IP addresses, or encrypting packet size and timing to prevent attackers from making any inference. The researchers are planning to publish a paper that will include technical details of the vulnerability, including a complete workaround or patch for the security flaw.