• adam_y@lemmy.world
    link
    fedilink
    English
    arrow-up
    204
    ·
    8 months ago

    “There are no ways to prevent such attacks except when the user’s VPN runs on Linux or Android.”

    So there are ways.

    • /home/pineapplelover@lemm.ee
      link
      fedilink
      English
      arrow-up
      8
      ·
      edit-2
      8 months ago

      Wait so the vulnerability exists on macos and iphone even though those are based on bsd (right?)

      Edit: and also Windows, forgot about Windows

      • Natanael@slrpnk.net
        link
        fedilink
        English
        arrow-up
        4
        ·
        8 months ago

        Hilariously enough, Windows users can use WSL to run a Linux VPN (but only applications running in WSL are safe if I understand the attack right)

    • FridaG@reddthat.com
      link
      fedilink
      English
      arrow-up
      5
      ·
      8 months ago

      True, if you neg a linux dev online enough for two years, you can make your entire infrastructure vulnerable to attack

    • Railing5132@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      8 months ago

      Hate to rain on the Linux parade here, but didn’t the article say: “There are no ways to prevent such attacks except when the user’s VPN runs on Android.” and that Linux was just as vulnerable as Windows?

        • Railing5132@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          8 months ago

          I was going from this: (emphasis mine)

          Interestingly, Android is the only operating system that fully immunizes VPN apps from the attack because it doesn’t implement option 121. For all other OSes, there are no complete fixes. When apps run on Linux there’s a setting that minimizes the effects, but even then TunnelVision can be used to exploit a side channel that can be used to de-anonymize destination traffic and perform targeted denial-of-service attacks.

  • dgmib@lemmy.world
    link
    fedilink
    English
    arrow-up
    56
    ·
    8 months ago

    So for this attack to work, the attacker needs to be able to run a malicious DHCP server on the target machine’s network.

    Meaning they need to have already compromised your local network either physically in person or by compromising a device on that network. If you’ve gotten that far you can already do a lot of damage without this attack.

    For the average person this is yet another non-issue. But if you regularly use a VPN over untrusted networks like a hotel or coffee shop wifi then, in theory, an attacker could get your traffic to route outside the VPN tunnel.

    • GamingChairModel@lemmy.world
      link
      fedilink
      English
      arrow-up
      27
      ·
      8 months ago

      Put another way, this means that a malicious coffee shop or hotel can eavesdrop on all VPN traffic on their network. That’s a really big fucking deal.

      • dgmib@lemmy.world
        link
        fedilink
        English
        arrow-up
        17
        ·
        8 months ago

        Not all VPN traffic. Only traffic that would be routable without a VPN.

        This works by tricking the computer into routing traffic to the attacker’s gateway instead of the VPN’s gateway. It doesn’t give the attacker access to the VPN gateway.

        So traffic intended for a private network that is only accessible via VPN (like if you were connecting to a corporate network for example) wouldn’t be compromised. You simply wouldn’t be able to connect through the attacker’s gateway to the private network, and there wouldn’t be traffic to intercept.

        This attack doesn’t break TLS encryption either. Anything you access over https (which is the vast majority of the internet these days) would still be just as encrypted as if you weren’t using a VPN.

        For most people, in most scenarios, this amount to a small invasion of privacy. Our hypothetical malicious coffee shop could tell the ip addresses of websites you’re visiting, but probably not what you’re doing on those websites, unless it was an insecure website to begin with. Which is the case with or with VPN.

        For some people or some situations that is a MASSIVE concern. People who use VPNs to hide what they’re doing from state level actors come to mind.

        But for the average person who’s just using a VPN because they’re privacy conscious, or because they’re location spoofing. This is not going to represent a significant risk.

        • Natanael@slrpnk.net
          link
          fedilink
          English
          arrow-up
          1
          ·
          8 months ago

          Plaintext connections inside corporate networks can still be MITM’ed if the adversary knows what they’re targeting, while they can’t connect to the corporate network they can still steal credentials

          • dgmib@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            8 months ago

            You wouldn’t be able to MITM a plaintext connection inside a corporate network with this attack by itself. You could only MITM something that the attacker can access without your VPN.

            Any corporate network that has an unsecure, publicly accessible endpoint that prompts for credentials is begging to be hacked with or without this attack.

            Now you could spoof an login screen with this attack if you had detailed info on the corporate network you’re targeting. But it would need to be a login page that doesn’t use HTTPS (any corporations, dumb enough to do that this day and age are begging to be hacked), or you’d need the user to ignore the browser warning about it not being secure, which that is possible.

            • Natanael@slrpnk.net
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              8 months ago

              I’m tech support so I’ve seen some stuff, sooo many intranet sites on internal servers don’t have HTTPS, almost only the stuff built to be accessible from the outside has it. Anything important with automatic login could be spoofed if the attacker knows the address and protocol (which is likely to leak as soon as the DHCP hijack is applied, as the browser continues to send requests to these intranet sites until it times out). Plaintext session cookies are also really easy to steal this way.

              Chrome has a setting which I bet many orgs have a policy for;

              https://chromeenterprise.google/policies/#OverrideSecurityRestrictionsOnInsecureOrigin

              Of course they should set up TLS terminators in front of anything which doesn’t support TLS directly, but they won’t get that done for everything

        • GamingChairModel@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          8 months ago

          That’s a fair point, you’re right.

          I do still think that a lot of people do use VPNs in public spaces for privacy from an untrusted provider, though, perhaps more than your initial comment seemed to suggest.

    • linearchaos@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      8 months ago

      I think the real meat here would be the work from home crowd. If you can find a hole in there router, you can inject routing tables and defeat VPN.

      But the VPN client doesn’t have to be stupid. You could certainly detect rogue routes and shut down the network.

      • dgmib@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        8 months ago

        As I mentioned in my other comment, this wouldn’t let an attacker eavesdrop on traffic on a VPN to a private corporate network by itself. It has to be traffic that is routable without the VPN.

        • linearchaos@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          8 months ago

          I don’t know, if you’ve already have full control over routing and have some form of local presence, seems to me you could do something interesting with a proxy, maybe even route the traffic back to the tunnel adapter.

          • dgmib@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            8 months ago

            I can’t see routing traffic to some kind of local presence and then routing back to the target machine to route out through the tunnel adapter without a successful compromise of at least one other vulnerability.

            That’s not to say there’s nothing you could do… I could see some kind of social engineering attack maybe… leaked traffic redirects to a local web server that presents a fake authentication screen that phishes credentials , or something like that. I could only see that working in a very targeted situation… would have to be something more than just a some rouge public wi-fi. They’d have to have some prior knowledge of the private network the target was connecting to.

            • linearchaos@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              8 months ago

              We’re already assuming you have something that can compromise DHCP. Once you make that assumption who’s to say you don’t have a VM hanging out.

  • Optional@lemmy.world
    link
    fedilink
    English
    arrow-up
    46
    ·
    8 months ago

    there are no ways to prevent such attacks except when the user’s VPN runs on Linux or Android.

    So . . . unix? Everything-but-Windows?

    • abhibeckert@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      8 months ago

      Everything-but-Windows?

      No. Any device that implements a certain DHCP feature is vulnerable. Linux doesn’t support it, because most Linux systems don’t even use DHCP at all let alone this edge case feature. And Android doesn’t support it because it inherited the Linux network stack.

      I would bet some Linux systems are vulnerable, just not with the standard network packages installed. If you’re issued a Linux laptop for work, wouldn’t be surprised if it has a package that enables this feature. It essentially gives sysadmins more control over how packets are routed for every computer on the LAN.

      • gsfraley@lemmy.world
        link
        fedilink
        English
        arrow-up
        35
        ·
        edit-2
        8 months ago

        most Linux systems don’t even use DHCP

        WTF are you smoking? WTF is wrong with you that you think such a dumb claim would go unscrutinized? I would play Russian roulette on the chances of a random Linux installation on a random network talking DHCP.

        Edit, in case being charitable helps: DNS and IP address allocation aren’t the only things that happen over DHCP. And even then the odds are overwhelming that those are being broadcast that way.

  • kinther@lemmy.world
    link
    fedilink
    English
    arrow-up
    41
    ·
    8 months ago

    If your LAN is already compromised with a rogue DHCP server, you’ve got bigger problems than them intercepting just VPN traffic. They can man in the middle all of your non-encrypted traffic. While this is bad, it’s not a scenario most people will run into.

    • Doubletwist@lemmy.world
      link
      fedilink
      English
      arrow-up
      46
      ·
      8 months ago

      The problem isn’t them being in you LAN. It’s about going to an untrusted network (eg Starbucks, hotel) and connecting to your VPN, boom, now your VPN connection is compromised.

      • kinther@lemmy.world
        link
        fedilink
        English
        arrow-up
        7
        ·
        8 months ago

        I woke up this morning and thought of this exact scenario, then found your comment lol

        Yes, this is bad for anyone who travels for work and can’t trust the network they connect to.

    • sudneo@lemm.ee
      link
      fedilink
      English
      arrow-up
      16
      ·
      8 months ago

      The other comment already covers the fact that VPN should be useful exactly when you are connected to untrusted LANs. I want to add that also the main point of your comment is anyway imprecise. You don’t need a compromise DHCP, you just need another machine who spoofs being a DHCP. Not all networks have proper measures in place for these attacks, especially when we are talking wireless (for example, block client-to-client traffic completely). In other words, there is quite a middle-ground between a compromised router (which does DHCP in most cases) and just having a malicious device connected to the network.

    • Rolling Resistance@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      8 months ago

      I wonder if it applies to routers made by a company who likes collecting user data. Because this is a situation many people are in.

    • Bricriu@lemmy.world
      link
      fedilink
      English
      arrow-up
      40
      ·
      8 months ago

      My understanding is that if you run a rogue discoverable DHCP server in a local network with a particular set of options set and hyper-specific routing rules, you can clobber the routing rules set by the VPN software on any non-Android device, and route all traffic from those devices through arbitrary midpoints that you control.

      But IANANE (I am not a network engineer) so please correct my misinterpretations.

  • LordCrom@lemmy.world
    link
    fedilink
    English
    arrow-up
    15
    ·
    8 months ago

    To execute this you need a DHCP server on the network… But any admin worth his salt has a config on the switch to limit DHCP traffic to a designated server.

    Seems extremely difficult to pull off in any corporate environment

  • MonkderDritte@feddit.de
    link
    fedilink
    English
    arrow-up
    13
    ·
    edit-2
    8 months ago

    If i get this right, that attack only works before the tunnel is initiated (i.e. traffic encrypted), if the hosts is compromised, right? No danger from untrusted points inbetween, right?

    • NeatNit@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      18
      ·
      8 months ago

      This technique can also be used against an already established VPN connection once the VPN user’s host needs to renew a lease from our DHCP server. We can artificially create that scenario by setting a short lease time in the DHCP lease, so the user updates their routing table more frequently. In addition, the VPN control channel is still intact because it already uses the physical interface for its communication. In our testing, the VPN always continued to report as connected, and the kill switch was never engaged to drop our VPN connection.

      Sounds to me like it totally works even after the tunnel has started.

      • Natanael@slrpnk.net
        link
        fedilink
        English
        arrow-up
        2
        ·
        8 months ago

        Yeah, it’s like a fake traffic cop basically, sending your (network) traffic down the wrong route

    • DreamlandLividity@lemmy.world
      link
      fedilink
      English
      arrow-up
      8
      ·
      edit-2
      8 months ago

      No, it works at any point and the local network needs to be compromised (untrusted), the host can be secure.

      So it is likely not an issue at your home unless you have weak Wi-Fi password. But on any public/untrusted Wi-Fi, it is an issue.

        • DreamlandLividity@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          8 months ago

          That being said, it apparently does not affect Mullvad apps on any platform other than iOS (Apple does not allow fixing it on iOS). I suspect other serious VPNs are also not vulnerable outside iOS, since it is prevented by simple leak prevention mechanism.

  • RaoulDook@lemmy.world
    link
    fedilink
    English
    arrow-up
    10
    ·
    8 months ago

    So if they are changing routes by using DHCP options, perhaps this could be exploited by telecom insiders when you are using mobile data, because your mobile data IP could be assigned by a DHCP server on the telecom network. If you’re at home on wifi, then you can control your own DHCP server to prevent that.

  • Natanael@slrpnk.net
    link
    fedilink
    English
    arrow-up
    9
    ·
    8 months ago

    Pushing a route also means that the network traffic will be sent over the same interface as the DHCP server instead of the virtual network interface. This is intended functionality that isn’t clearly stated in the RFC. Therefore, for the routes we push, it is never encrypted by the VPN’s virtual interface but instead transmitted by the network interface that is talking to the DHCP server. As an attacker, we can select which IP addresses go over the tunnel and which addresses go over the network interface talking to our DHCP server.

    Ok, so double encrypted and authenticated traffic (TLS inside the VPN) would still be safe, and some stuff requiring an internal network origin via the VPN is safe (because the attacker can’t break into the VPN connection and your client won’t get the right response), but a ton of other traffic is exposed (especially unencrypted internal traffic on corporate networks, especially if it’s also reachable without a VPN or if anything sends credentials in plaintext)

  • TipRing@lemmy.world
    link
    fedilink
    English
    arrow-up
    9
    ·
    8 months ago

    I use option 121 as part of my work, though I am not an expert on DHCP. This attack does make sense to me and it would be hard to work around given the legitimate uses for that option.

  • 𝓔𝓶𝓶𝓲𝓮@lemm.ee
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    8 months ago

    If someone uses vpns for anything other than region locked content then that’s not very smart.

    It’s one big security risk and no attacks are necessary for some vpn company tech to sell your data. Hell I’d do it myself to a highest bidder, sorry.

    It’s like walking naked around some stranger’s house and trusting them to close their eyes.

    • Couldbealeotard@lemmy.world
      link
      fedilink
      English
      arrow-up
      20
      ·
      8 months ago

      Encrypted VPN tunnels are ubiquitous in many industries for remote connection to private clouds. They are used by virtually every high functioning company in the world, and getting more common for mid and lower tier companies as well.

      • Buddahriffic@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        8 months ago

        There’s no real way to know if VPNs intended for the public are run the same as those intended for enterprise. Windows doesn’t have a lot of the same BS in their enterprise versions that are in the personal ones. Even with the same software, it could just be a checkbox that the salesperson can check for big businesses with legal teams that read and enforce contracts.

        • Couldbealeotard@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          8 months ago

          Maybe you can explain what you actually mean then, because I don’t understand your point.

          I would say those dollar-store VPN products people use for geo-spoofing is the worst security risk when it comes to VPNs. You are sending your data through some other company that you have no control or insight into. You have no idea what network security they employ, or whether they are willing or obligated to release your data to other parties.

    • Buddahriffic@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      8 months ago

      I assume this is definitely the case for free VPNs, if any of those still exist. There might be some willing to donate bandwidth and compute resources for the good of others, but I’m sure there’s more that pretend to do that but actually just sell the data or maybe just spy.

      Tbh I wouldn’t be surprised if this is also the case for TOR nodes. I wonder how many entry and exit points are run by the NSA or some other government entity. Or are just monitored. If you can monitor the entry and exit points, you can determine both the source and destination, and just match them together using the middle node address.

      Same thing with proxies.

      Paid VPNs could go either way. On the one hand, they could make more money if they are willing to sell out their users’ privacy. On the other hand, that risks the entire thing falling apart if word gets out that it’s not private, since that’s the whole point of VPNs. I’m sure there’s some good ones out there but I’m also sure that there’s bad ones and wouldn’t be surprised if some of the ones considered good are actually bad.

      Maybe ones that run in Europe would be safer bets. Their business is at least able to run there with the privacy laws. Maybe they are skirting them and haven’t been caught yet, maybe their data sales from other regions are profitable enough to support European operations without data sales, but if they are going for max greed and min risk, maybe they wouldn’t operate there. Or maybe they just run things differently in the different regions to maximize global profits.

  • the_third@feddit.de
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    8 months ago

    When I design something, critical applications get their own network namespace with only the VPN interface inside anyway. So, yeah.

      • originalucifer@moist.catsweat.com
        link
        fedilink
        arrow-up
        3
        ·
        8 months ago

        i think docker allows for this configuration. i use a gluetun container for the network definition of the torrent container to prevent leaking. the torrent container knows of no other network than the vpn container.

      • the_third@feddit.de
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 months ago

        There’s readily available docker containers for it but I wanted to build it by hand. Well, more or less, Extremely hacky but it works, so fine for me.

        I started out with cheating and used this wrapper around wg-quick that gives us a persistent network namespace with the tunnel interface in it:

        https://github.com/dadevel/wg-netns

        cat /etc/systemd/system/wg-qbittorrent.service
        [Unit]
        Description=WireGuard Network Namespace for qBittorrent
        Wants=network-online.target nss-lookup.target
        After=network-online.target nss-lookup.target
        
        [Service]
        Type=oneshot
        Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity
        Environment=WG_VERBOSE=1
        ExecStart=/opt/wg-netns/bin/wg-netns up /etc/wireguard/wgconfig.yaml
        ExecStop=/opt/wg-netns/bin/wg-netns down /etc/wireguard/wgconfig.yaml
        RemainAfterExit=yes
        
        WorkingDirectory=%E/wireguard
        ConfigurationDirectory=wireguard
        ConfigurationDirectoryMode=0700
        
        CapabilityBoundingSet=CAP_NET_ADMIN CAP_SYS_ADMIN
        LimitNOFILE=4096
        LimitNPROC=512
        LockPersonality=true
        MemoryDenyWriteExecute=true
        NoNewPrivileges=true
        ProtectClock=true
        ProtectHostname=true
        RemoveIPC=true
        RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK
        RestrictNamespaces=mnt net
        RestrictRealtime=true
        RestrictSUIDSGID=true
        SystemCallArchitectures=native
        
        [Install]
        WantedBy=multi-user.target
        

        Then I built a static binary of qbittorrent using this really neat docker image: https://github.com/userdocs/qbittorrent-nox-static

        …and stuffed the result into a systemd service that runs it in the namespace wg-netns provides:

        cat /etc/systemd/system/qbittorrent-nox.service 
        
        [Unit]
        Description=qBittorrent-nox service
        Wants=network-online.target wg-qbittorrent.service 
        After=local-fs.target network-online.target nss-lookup.target wg-qbittorrent.service 
        
        [Service]
        Type=simple
        PrivateTmp=false
        #User=qbittorrent
        ExecStart=/usr/sbin/ip netns exec ns-qbittorrent sudo -u qbittorrent /opt/qbittorrent/qbittorrent-nox
        TimeoutStopSec=1800
        RestartSec=15
        RestartMaxDelaySec=600
        RestartSteps=10
        Restart=always
        
        [Install]
        WantedBy=multi-user.target
        
        

        To get the webui out of that I stuck two instances of socat together at the stdout and from there it depends on whatever you want to use as a reverse proxy on the host - or you bind to a network interface if you trust the network:

        cat /etc/systemd/system/qbittorrent-webui.service 
        [Unit]
        Description=qBittorrent-nox webui forwarding into its namespace
        Wants=network-online.target wg-qbittorrent.service 
        After=local-fs.target network-online.target nss-lookup.target wg-qbittorrent.service 
        
        [Service]
        Type=simple
        PrivateTmp=false
        ExecStart=/opt/qbittorrent/forward-webinterface.sh
        TimeoutStopSec=1800
        Restart=always
        RestartSec=10
        
        [Install]
        WantedBy=multi-user.target
        
        cat /opt/qbittorrent/forward-webinterface.sh
        #!/bin/sh
        set -eu
        
        exec socat tcp6-listen:"8080",reuseaddr,fork,range=[::1]/128 "exec:ip netns exec ns-qbittorrent socat stdio 'tcp-connect:127.0.0.1:8080',nofork"
        
        

        Works, is reboot safe, stopped caring about beauty at that point.