 CVE 2019 14 8 9 9 new vulnerability lets attackers never hijack VPN connections and there's plenty of other new stories on it that it is a really interesting vulnerability and there's lots of headlines but instead of going through all the headlines and that you know news cycles want to get the clicks and they want to tell you the sky is falling to get you to read I'm at least gonna start with the sky is not falling VPNs are still safe but there are some attacks now that are interesting and I'm gonna dive into that and there's ways to mitigate it so how does this work well first this is an attack against VPN clients running on UNIX based systems and we mean like Linux and Mac and BSD and potentially some Android flaws are related to this as well because once again it's kind of loosely based on Linux on the back end this does not affect a Windows side system now this is all client side attacks by the way as this is not something you have to change out your routing for you don't have to change out your VPN server side this is a client side attack and this is really an interesting because I didn't really think this was possible and of course that's what these security researchers do they take something that might be plausible might be interesting and dive into it and attack it and figure out some of the edge cases and we're gonna talk about everything needs to be done to make this attack work to show one it's not easy it's not like one push even if you automated this it still takes a lot of noise on a network to get it going so we're gonna walk through the whole tech and the methodologies and then we'll talk about the mitigation also talk about how this happened and what changes were made in systems to cause this this vulnerability works against open VPN wire guard like V2 and IPsec so this does work against multiple VPN platforms we're gonna talk specifically about open VPN but it does work against the other ones I just happen to have open VPN set up so we'll walk through the scenarios we'll talk about that there are three steps to this attack determine the VPN clients virtual IP address so when you attach with a VPN it's going to hand you a virtual IP address in addition to your local network IP address using the virtual IP address to make an inner inference about active connections this is where things get tricky but they are they found a way to this is a key piece of it to infer what websites you're going to they have to know what websites you're going to then determine the packets so using encrypted replies to unsolicited packets to determine the sequence and acknowledgement numbers of the active connections to hijack the TCP session so the goal is TCP has a series of packets sin act that go back and forth and they have their timed and numbered so they go in order they have to determine that number determine that order and then spoof and insert things within those packets that are going over the VPN which normally the VPN is tunneling and encrypting me so they have to use the in the inference is an important component of this to make it work the victim device connected to AP this is a total scenario of this and actually instead of reading this I put one together to show you what it looked like basically the attacker has to be here they have to be part of the infrastructure so this is public Wi-Fi control of a vector you could also replace this with public switch like if it's not really that there's many public switches that you go to place and plug it in but let's say a bad actor has control of the infrastructure and the routing of it so you have to pass through their equipment that has all the capabilities and tooling on it to be able to pull this attack off that is a first key part of it most likely is obviously public Wi-Fi because when you're on public Wi-Fi a VPN will encapsulate your traffic to get it out past this device and that should be adequate to protect you in prior to this we always assume generally speaking that yes this is how that's mitigated this does not work the same as random user that can also see your IP address so let's say I'm in public Wi-Fi at a public place and other random user on same network there are methods by which they can attack referred to as like ARPS spoofing and this is has a similar attack vector to that so they take the ARPS spoofing they would try to get you to go to their computer this is not that type of attack because the importance of this attack is the local IP which is known by the public infrastructure that you're connecting to the public Wi-Fi should say that's controlled by the bad actor they have to then determine what your VPN virtual IP address is now that is not an arbitrarily easy task that's actually the first part of the attack they don't see it so when you have your local IP and you go through the VPN process and I put my router VPN device whatever that might be or a service you're connecting to if it's a VPN service like one of the you know public ones that offer this type of service you go out to the internet and all of your traffic is tunnel but when you establish this connection over here this device hands you this IP address that's all done through tunneled and encrypted traffic so they don't just get that information no matter how close they watch it because well it's tunneled and encrypted and I have a whole video about TLS encryption and open VPN I can link to where I've dove into some of how that works the way they determine this is rather clever and this is how the attack vectors scroll down here so what they're doing is sending a bunch of RST to there so they're sending resets to your network and hoping to find your IP address for the virtual because this is the flaw the system starts acknowledging that the fact that you have a virtual IP address so they go and are pumping information towards your IP and seeing if they get certain information back from it that's what's a little confusing as to how they're doing it and they don't have the full proof of concept out yet but it's interesting because it was a science CVE it's under review they're waiting for mitigations so with open VPN it's you know a lot of them are set up 192.168.70 dot whatever that range so they can just poke through ranges so that is one of the first channels but once they determine that they can start spoofing it and what allows them to do that was what puzzled me and I had to dive deeper into the reading to understand what allowed them to do this why does the system start responding it was an interesting answer but it starts here of right here most Linux distributions we tested were vulnerable especially Linux distributions that use a version of system D pulled after November 28th of last year so this is 2019 December and this was in 2018 in November that they changed it so let's go all the way over and because well this is a beauty of open source it's open and you don't just arbitrarily make willy-nilly changes in code you have reasons you made them this is the switch change it's called the RP filter was switched from one to two and the use case for it's not because some NSA bad actor got into the open source code and monkey with this this is what people always like to think happens but this is the very simple reason that this occurred the switch is the RFC 3704 reverse path filtering from strict mode to loose mode the strict mode breaks some pretty common reasonable use cases such as keeping connections via default route alive after another one appears i.e. plugging in the ethernet cable while connected to Wi-Fi the strict filter also makes it impossible for an recommender to do connectivity check on a new arriving default route it starts with a higher metric and is bump lower if there's connectivity the kernels default zero no filter but a loose filters good enough you use cases where a strict filled mode may easily override this this just the distribution don't care that the clients use case prefer a strict filter could just ship a custom configuration what this means is this is a change at system D level to establish a default and so distribution such as a bunch of that use system D or Papa West like I'm using when they pull it this is the fault but of course any distribution can override this that's why we don't have the absolute clearest picture yet we have to look on a case-by-case in case any specific distribution did override the setting but what you know the use case for it is really simple let's go back over here I'm plugged into the Wi-Fi here and hooked up but I have my VPN established what if I want to change or I plug in another like a hard line the network cable well you don't want the VPN to drop you want to be able to keep that VPN going even when that changes that's the flaw that's actually allowing us in so here's my computer and here's my IP address and here's my tunneled IP address that extra one on there that you normally would not expect to accept anything other than stuff that goes through the encapsulated tunnel it's kind of interesting the fact that they found a way to get the system to eventually respond with enough basically spoofing information and then they can start going through and getting it to accept that spoofed information provided they get the right sequence and match it up and make more noise essentially is what my understanding is then the standard stream so they can get something in there obviously they could if you're in control of the infrastructure you may want to at the same time that you know the packets are coming back insert your packets and then somehow hold up the packets that would be coming there so it's kind of the playing out some of these scenarios but like I said this is not some easy arbitrary attack and then they were able to insert that traffic what about how what is it they're going to actually accomplish with it well here's the thing I wrote over here unencrypted site that's an important aspect of it so you would say we've tunnel over traffic through the controlled system so they can't see it they threw the internet over to a VPN device maybe it's something on my network and then I go out of this device so I'm encapsulating all my traffic but they infer what website I'm going to and they know what unencrypted website I'm going to what does that mean well now they can look at that traffic and they can start inserting return information it's invalid or different than I would expect in an attempt to attack me but unencrypted is an important part if you're doing all this and then on top of that the site you're going to is an encrypted site well now they have a problem they would have to break the encryption of that site that is not arbitrary thing to do especially if their sites are using the latest TLS 1.3 that's a really solid level of encryption it's technically double encrypted triple if you count the VPN here therefore that's where this attack stops but don't get me wrong it's still serious I'm not saying that this isn't a potential threat I'm just saying the attack is not as likely unless you're also going to an unencrypted site but if you're going to an unencrypted site and doing something confidential that's a bad in general because every hop in between an internet is not just one globe like I show here it's a lot of pieces in between any of your traffic can be seen in between when an unencrypted site that's just a general problem so that's one of the reasons we've had such a big push for encrypting all the sites over the last several years and now here in 2019 will end in 2019 then pretty much every major websites encrypted and even some of the other ones because well with companies like let's encrypt in the act me protocol we've just gone to everything default encrypted so this protects against a lot of this attack because someone has to spoof it but DNS I've done a couple videos on DNS and DNS over HTTPS that's where there's still an issue because if you're still not using the why you're not encrypting all your DNS traffic you're using just standard plain old port 53 DNS well they might have the potential to go hey look they're using a DNS server we can see this traffic we can infer that this is there and we're going to insert different DNS entries to send you to the wrong places so there's still a big risk there but if you're using encrypted DNS especially if you're using encrypted in between your device and your VPN device or you're using DOH for the browsing well there you go if you're using DNS over HTTPS DOH you're good because now they can't encrypt they can't spoof the DNS they can't spoof site because it's encrypted they have been thwarted provided they had all the means by which to do this attack which is fairly complicated to begin with so it's a lot to think about but it's still not the end of the world but it's still something needs to be patched so I never try to downplay any seriousness of security issues but I like to make sure it's clear that this is not the end world and there's some mitigations against it the mitigations enough and release but you go over here and we dive down they have a listing of how to mitigate that and we have here turning off the path filtering being the obvious one potential problem asynchronous routing not reliable and mobile devices this is that problem of why they turned it on the first place and they do say there still might be possibilities to get that attacked. Bogan filtering there's another option where you don't allow the VPN to listen to Bogan networks you know private space networks that would be a way to do it but then they comment that network address use for VPNs and local networks and some nations including Iran include use reserve IP address space for the public space there's another one encrypted packet size and timing and there's a reply on that one that you can actually use in IPsec it's off by default but traffic flow control confidentiality and we see you're creating a padding in there so they can't do the inference of what the website is making the attack kind of go away. Also it's noted in here in this reply that Tor is not affected because of the way the Tor destination address binds to local hosts so I thought that was interesting that it was observed in that that regard to that but only links to this so you can do the reading I just wanted to say one it's a very serious thing I love it with that but also it's not the end of the world I think it's something we'll work through it's something we'll get patched and it's not a server side problem it's not something you replace your server for to make this work it's something on the client side so there'll be an update and a patch released for this and it should work perfectly fine after they fix it they just have to make a determination and like I said I don't have an exhaustive list of every operating system they have a couple of lists in here but obviously we know the major ones are affected because they've been pulling this but it sounds like Ubuntu operating system they confirmed this on Ubuntu 1910 so I'm gonna assume Papa West 1910 as well Fedora pulling system D, Devian 10.2, Arch and Manjaro so there's our ones they've tested FreeBSD, Deepin, Slackware, VoidLinux, MXLinux so there's a couple of them and like they said there's not an exhaustive list don't assume because you're not on a list you don't have the problem it's a matter of whether or not the operating system you're using pulled that information over here from the system D and had those changed from then and didn't change the default from what they pulled so hopefully this clears that up a little it's like I said it's a Linux Unix problem not a Windows problem to my knowledge as of right now we don't know of this being a problem with OpenVPN and Linux but hey you know the once we've uncovered a piece of research and I am surprised myself that the VPN would the virtual IP from the tunnel VPN would even accept a other type of command going to it or other TCP packets I'm absolutely certain more security researchers are going to be attempting this another platform so these these flaws still may exist elsewhere that we just haven't found out about yet but hey look for patches and look for more security researchers and updates but don't don't worry you're generally speaking the whole proof of concept is not out there and it doesn't it doesn't appear that anything is in a wild that we know of right now stay safe and thanks and thank you for making it to the end of the video if you like this video please give it a thumbs up if you'd like to see more content from the channel hit the subscribe button and hit the bell icon if you like YouTube to notify you when new videos come out if you'd like to hire us head over to Lawrence systems dot com fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on if you want to carry on the discussion head over to forums dot Lawrence systems dot com or we can carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos they're accepted right there on our forums which are free also if you like to help the channel in other ways head over to our affiliate page we have a lot of great tech offers for you and once again thanks for watching and see you next time