Cyber security news August 2023

This posting is here to collect cyber security news in August 2023.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

333 Comments

  1. Tomi Engdahl says:

    Hacking campaign bruteforces Cisco VPNs to breach networks https://www.bleepingcomputer.com/news/security/hacking-campaign-bruteforces-cisco-vpns-to-breach-networks/

    Hackers are targeting Cisco Adaptive Security Appliance (ASA) SSL VPNs in credential stuffing and brute-force attacks that take advantage of lapses in security defenses, such as not enforcing multi-factor authentication (MFA).

    Admins and security teams are advised to deactivate default accounts and passwords to block brute-force attempts targeting their VPN systems.

    Furthermore, they should ensure that MFA is enforced for all VPN users and that logging is enabled on all VPNs to help with attack analysis if needed.

    Reply
  2. Tomi Engdahl says:

    US govt email servers hacked in Barracuda zero-day attacks
    https://www.bleepingcomputer.com/news/security/us-govt-email-servers-hacked-in-barracuda-zero-day-attacks/

    Suspected Chinese hackers disproportionately targeted and breached government and government-linked organizations worldwide in recent attacks targeting a Barracuda Email Security Gateway (ESG) zero-day, with a focus on entities across the Americas.

    Almost a third of appliances hacked in this campaign belonged to government agencies, most of them between October and December 2022, according to a Mandiant report published today.

    Reply
  3. Tomi Engdahl says:

    BGP Flaw Can Be Exploited for Prolonged Internet Outages
    https://www.securityweek.com/bgp-flaw-can-be-exploited-for-prolonged-internet-outages/
    Serious flaw affecting major BGP implementations can be exploited to cause prolonged internet outages, but several vendors have not patched it.
    A serious flaw affecting several major Border Gateway Protocol (BGP) implementations can be exploited to cause prolonged internet outages, but some vendors are not patching it, a researcher warned on Tuesday.

    The issue was discovered by Ben Cartwright-Cox, the owner of BGP.Tools, a company that provides monitoring services to help organizations quickly identify and address BGP-related issues.

    BGP is the gateway protocol used for exchanging routing information between autonomous systems on the internet. BGP hijacking and leaks can be used to redirect users to arbitrary sites or cause severe disruptions.
    BGP exchanges UPDATE messages to advertise routing information, including IP ranges and an attribute that provides additional context.

    The problem identified by Cartwright-Cox is related to these attributes and the ability of BGP implementations to handle them. Specifically, if a router does not understand an attribute, it may pass it along without impact, but if it does understand it and the attribute is corrupted, an error can be triggered and the BGP session is shut down, preventing the affected network from communicating with the rest of the internet.
    “With some reasonably educated crafting of a payload, someone could design a BGP UPDATE that ‘travels’ along the internet unharmed, until it reaches a targeted vendor and results in that vendor resetting sessions. If that data comes down the BGP connections that are providing wider internet access for the network, this could result in a network being pulled offline from the internet,” Cartwright-Cox explained in a blog post.
    This is not just a theoretical problem. Cartwright-Cox started researching the issue after a small Brazilian network announced an internet route with a corrupt attribute in early June, causing serious disruptions in other networks.
    The expert has created a basic fuzzer to test whether various BGP implementations are impacted. He found that MikroTik, Ubiquiti, Arista, Huawei, Cisco and Bird are not affected.
    His tests showed that Juniper Networks’ Junos OS, Nokia’s SR-OS, Extreme Networks’ EXOS, OpenBSD’s OpenBGPd, and FRRouting are impacted.
    Cartwright-Cox reported his findings to impacted vendors, but said only OpenBSD (CVE-2023-38283) rushed to create a patch. Juniper and FRR developers have assigned the CVE identifiers CVE-2023-4481 and CVE-2023-38802, respectively. Juniper has published an advisory informing customers about the availability of patches. Nokia and Extreme apparently do not plan on addressing the issue.
    Grave flaws in BGP Error handling
    https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling
    Border Gateway Protocol is the de facto protocol that directs routing decisions between different ISP networks, and is generally known as the “glue” that holds the internet together. It’s safe to say that the internet we currently know would not function without working BGP implementations.

    However, the software on those networks’ routers (I will refer to these as edge devices from now on) that implements BGP has not had a flawless track record. Flaws and problems do exist in commercial and open source implementations of the world’s most critical routing protocol.
    Most of these flaws are of course benign in the grand scheme of things; they will be issues around things like route filtering, or insertion, or handling withdraws. However a much more scary issue is a BGP bug that can propagate after causing bad behaviour, akin to a computer worm.
    With some reasonably educated crafting of a payload, someone could design a BGP UPDATE that “travels” along the internet unharmed, until it reaches a targeted vendor and results in that vendor resetting sessions. If that data comes down the BGP connections that are providing wider internet access for the network, this could result in a network being pulled offline from the internet.
    This attack is not even a one-off “hit-and-run”, as the “bad” route is still stored in the peer router; when the session restarts the victim router will reset again the moment the route with the crafted payload is transmitted again. This has the potential to cause prolonged internet or peering outages.

    This is a large part of why the RFC mentioned earlier, RFC 7606, exists; looking at its security considerations section, we can see a description of this exact problem::

    Security Considerations This specification addresses the vulnerability of a BGP speaker to a potential attack whereby a distant attacker can generate a malformed optional transitive attribute that is not recognized by intervening routers. Since the intervening routers do not recognize the attribute, they propagate it without checking it. When the malformed attribute arrives at a router that does recognize the given attribute type, that router resets the session over which it arrived. Since significant fan-out can occur between the attacker and the routers that do recognize the attribute type, this attack could potentially be particularly harmful.

    In a basic BGP setup this is bad, but with extra engineering it could be used to partition large sections of the internet.

    Reply
  4. Tomi Engdahl says:

    Vulnerabilities
    Recent Juniper Flaws Chained in Attacks Following PoC Exploit Publication
    https://www.securityweek.com/recent-juniper-flaws-chained-in-attacks-following-poc-exploit-publication/

    Four recent vulnerabilities in the J-Web component of Junos OS have started being chained in malicious attacks after PoC exploit code was published.

    Reply
  5. Tomi Engdahl says:

    Malware & Threats
    DreamBus Botnet Exploiting RocketMQ Vulnerability to Delivery Cryptocurrency Miner

    The DreamBus botnet has resurfaced and it has been exploiting a recently patched Apache RocketMQ vulnerability to deliver a Monero miner.

    https://www.securityweek.com/dreambus-botnet-exploiting-rocketmq-vulnerability-to-delivery-cryptocurrency-miner/

    Reply
  6. Tomi Engdahl says:

    Vulnerabilities
    High-Severity Memory Corruption Vulnerabilities Patched in Firefox, Chrome
    https://www.securityweek.com/high-severity-memory-corruption-vulnerabilities-patched-in-firefox-chrome/

    Mozilla and Google have released stable updates for the Firefox and Chrome browsers to address several memory corruption vulnerabilities.

    Mozilla and Google on Tuesday announced the release of stable updates for Firefox and Chrome to address several high-severity vulnerabilities, including memory corruption issues.

    Mozilla released Firefox 117 with patches for 13 vulnerabilities, including seven rated ‘high severity’, four of which are described as memory corruption bugs affecting the browser’s IPC CanvasTranslator, IPC ColorPickerShownCallback, IPC FilePickerShownCallback, and JIT UpdateRegExpStatics components.

    Google on Tuesday released its second weekly update for Chrome, now rolling out as version 116.0.5845.140 for macOS and Linux and as versions 116.0.5845.140/.141 for Windows.

    The Chrome update resolves one vulnerability, tracked as CVE-2023-4572 and described as a use-after-free flaw in MediaStream. Such issues may often be exploited to escape Chrome’s sandbox and achieve remote code execution, if combined with other vulnerabilities.

    https://chromereleases.googleblog.com/2023/08/stable-channel-update-for-desktop_29.html

    Reply
  7. Tomi Engdahl says:

    Can you hack snax?
    Lidl recalls popular Paw Patrol kid’s snacks because of web hack. The URL published on the packaging had been compromised to show ‘explicit’ content.

    On the recall notice, Lidl wrote: “Lidl GB is recalling the above-mentioned branded product as we have been made aware that the URL of the supplier which is featured on the back of the packaging has been compromised and is being directed to a site that is not suitable for child consumption.”

    https://www.standard.co.uk/news/uk/lidl-paw-patrol-snacks-recalled-b1103802.html
    https://www.southwalesargus.co.uk/news/national/uk-today/23758017.lidl-paw-patrol-snack-recall-due-link-explicit-website/
    https://www.goodto.com/food/food-news/lidl-urgently-recalls-4-popular-paw-patrol-snacks-over-explicit-error-do-you-have-any-in-your-cupboard

    Reply
  8. Tomi Engdahl says:

    GRU hackers attack Ukrainian military with new Android malware https://www.bleepingcomputer.com/news/security/gru-hackers-attack-ukrainian-military-with-new-android-malware/

    Hackers working for the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, more commonly known as the GRU, have been targeting Android devices in Ukraine with a new malicious framework named ‘Infamous Chisel.

    Reports today from the UK National Cyber Security Center (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) dive deeper into the technical details of Infamous Chisel, showing its capabilities and sharing information that can help defend against it.

    Reply
  9. Tomi Engdahl says:

    North Korean hackers behind malicious VMConnect PyPI campaign https://www.bleepingcomputer.com/news/security/north-korean-hackers-behind-malicious-vmconnect-pypi-campaign/

    North Korean state-sponsored hackers are behind the VMConnect campaign that uploaded to the PyPI (Python Package Index) repository malicious packages, one of them mimicking the VMware vSphere connector module vConnector.

    The packages were uploaded at the beginning of August, with one named VMConnect targeting IT professionals seeking virtualization tools

    At the time it was removed from the PyPI platform, VMConnect counted 237 downloads. Two more packages featuring the same code, published with the names‘ethter’ and ‘quantiumbase’ and also impersonating popular software projects, were downloaded 253 and 216 times, respectively.

    Reply
  10. Tomi Engdahl says:

    Free Key Group ransomware decryptor helps victims recover data https://www.bleepingcomputer.com/news/security/free-key-group-ransomware-decryptor-helps-victims-recover-data/

    Researchers took advantage of a weakness in the encryption scheme of Key Group ransomware and developed a decryption tool that lets some victims to recover their files for free.

    The attackers claimed their malware used “military-grade AES encryption” but the locker uses a static salt across all encryption processes, making the scheme somewhat predictable and the encryption possible to reverse.

    Key Group is a Russian-speaking threat actor that sprung into action in early 2023, attacking various organizations, stealing data from compromised systems, and then using private Telegram channels to negotiate ransom payments.

    Reply
  11. Tomi Engdahl says:

    Grave flaws in BGP Error handling
    https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling

    Border Gateway Protocol is the de facto protocol that directs routing decisions between different ISP networks, and is generally known as the “glue”
    that holds the internet together. It’s safe to say that the internet we currently know would not function without working BGP implementations.

    Most of these flaws are of course benign in the grand scheme of things; they will be issues around things like route filtering, or insertion, or handling withdraws. However a much more scary issue is a BGP bug that can propagate after causing bad behaviour, akin to a computer worm.

    Reply
  12. Tomi Engdahl says:

    Paramount confirms data breach after cyberattack https://therecord.media/paramount-data-breach-cyberattack

    The movie studio and streaming giant Paramount confirmed a data breach this week involving the personal information of fewer than 100 people.

    The incident, which was first reported by Bleeping Computer, was reportedly not related to ransomware or to the exploitation of the MOVEit vulnerability.

    After an investigation the studio discovered that names, dates of birth, Social Security numbers, driver’s license numbers, passport numbers and the person’s relationship to Paramount were leaked during the breach.

    Reply
  13. Tomi Engdahl says:

    Forever 21 data breach: hackers accessed info of 500,000 https://www.bleepingcomputer.com/news/security/forever-21-data-breach-hackers-accessed-info-of-500-000/

    Forever 21 clothing and accessories retailer is sending data breach notifications to more than half a million individuals who had their personal information exposed to network intruders.

    A sample of the data breach notice shared with the Office of the Maine Attorney General says that the company detected a cyberattack on several of its systems on March 20.

    Reply
  14. Tomi Engdahl says:

    Vulnerability in WordPress Migration Plugin Exposes Websites to Attacks
    https://www.securityweek.com/vulnerability-in-wordpress-migration-plugin-exposes-websites-to-attacks/

    A vulnerability in the All-in-One WP Migration plugin’s extensions exposes WordPress websites to attacks leading to sensitive information disclosure.

    A vulnerability in several extensions for the All-in-One WP Migration plugin potentially exposes WordPress websites to attacks leading to sensitive information disclosure.

    With more than five million installations and maintained by ServMask, All-in-One WP Migration is a highly popular plugin for moving websites that also provides several premium extensions for migrating to third-party platforms.

    On Wednesday, WordPress security firm Patchstack shared details on a vulnerability impacting All-in-One WP Migration’s Box, Google Drive, OneDrive, and Dropbox extensions that could allow attackers to access sensitive information.

    Tracked as CVE-2023-40004 and described as an unauthenticated access token manipulation issue, the bug could allow an unauthenticated attacker to tamper with the access token configuration of the affected extension.

    Pre-Auth Access Token Manipulation in All-in-One WP Migration Extensions
    https://patchstack.com/articles/pre-auth-access-token-manipulation-in-all-in-one-wp-migration-extensions/

    This blog post is about the All-in-One WP Migration Extensions vulnerability. If you’re an All-in-One WP Migration Extensions user specified below, please update the plugin to the patched version mentioned in this article.

    Reply
  15. Tomi Engdahl says:

    Cloud Security
    Dangling DNS Used to Hijack Subdomains of Major Organizations
    https://www.securityweek.com/dangling-dns-used-to-hijack-subdomains-of-major-organizations/

    Dangling DNS records were abused by researchers to hijack subdomains belonging to major organizations, warning that thousands of entities are impacted.

    Researchers have abused dangling DNS records to hijack subdomains belonging to over a dozen major organizations, and they warn that thousands of entities are vulnerable to such attacks.

    The research was conducted by Vienna-based IT security consulting firm Certitude Consulting, whose employees managed to take control of subdomains belonging to governments, political parties, universities, and media companies in an effort to demonstrate the potential risk.

    They targeted subdomains belonging to government organizations in the US, Canada, UK and Australia; the Austrian political party FPÖ; cybersecurity firm Netscout; US insurance giant Penn Mutual; CNN; several major universities in the United States (UCLA, Stanford, and University of Pennsylvania); and a couple of financial institutions.

    The Certitude researchers configured the hijacked subdomains to redirect visitors to a ‘security awareness notice’ page explaining who they are, what they have done, and how they did it, along with instructions for preventing subdomain hijacking and recovering the subdomain.

    However, a malicious actor could have exploited the DNS weakness for malware distribution, spreading misinformation, phishing attacks, and social engineering. These types of attacks are more likely to succeed if they involve a subdomain belonging to a reputable and trusted organization.

    Thousands of Organizations Vulnerable to Subdomain Hijacking
    https://certitude.consulting/blog/en/subdomain-hijacking/

    Reply
  16. Tomi Engdahl says:

    Bypassing Bitlocker With A Logic Analzyer
    https://hackaday.com/2023/08/25/bypassing-bitlocker-with-a-logic-analzyer/

    Security Engineer [Guillaume Quéré] spends the day penetration testing systems for their employer and has pointed out and successfully exploited a rather obvious weakness in the BitLocker full volume encryption system, which as the linked article says, allows one to simply sniff the traffic between the discrete TPM chip and CPU via an SPI bus. The way Bitlocker works is to use a private key stored in the TPM chip to encrypt the full volume key that in turn was used to encrypt the volume data. This is all done by low-level device drivers in the Windows kernel and is transparent to the user.
    TPM chip pins too small? Just find something else on the bus!

    The whole point of BitLocker was to prevent access to data on the secured volume in the event of a physical device theft or loss.

    Simply pulling the drive and dropping it into a non-secured machine or some other adaptor would not provide any data without the key stored by the TPM. However, since that key must pass as plaintext from the TPM to the CPU during the boot sequence, [Guillaume] shows that it is quite straightforward — with very low-cost tools and free software — to simply locate and sniff out this TPM-to-CPU transaction and decode the datastream and locate the key. Using little more than a cheapo logic analyser hooked up to some conveniently large pins on a nearby flash chip (because the SCK, MISO, and MOSI pins are shared with the TPM) the simple TIS was decoded enough to lock onto the bytes of the TPM frame.

    Bypassing Bitlocker using a cheap logic analyzer on a Lenovo laptop
    https://www.errno.fr/BypassingBitlocker.html

    Have you ever been told that the company’s data on laptops is protected thanks to BitLocker? Well it turns out that this depends on BitLocker’s configuration…’

    Capturing the TPM exchange

    We’ll be using a dirt cheap logic analyzer, DSLogic Plus. I bought this for under $100 in 2021 (tax and shipping included).

    A note on signal capture: to comfortably acquire a signal the sampling frequency should be 3 to 4 times the bus frequency. This means that for our SPI 33MHz bus we should sample at the very least at 100MHz. Notice that the specs of the analyzer state that it can do up to 400MHz on up to 16 channels. I’ll help you read between the lines here:

    the more channels you capture at a time (by sets of 3), the lower the sampling frequency
    you have to distinguish stream mode and buffer mode. The first one will send results directly to the host computer and permits capture of large sets, up to a minute but it’s limited to 100MHz on 3 channels. The buffer mode allows sampling at 400MHz but it will only work for a few milliseconds, so there’s no practical use for it here.

    This means that this hardware can barely do the job we’re asking it to do. For a more professional option both hardware and software-wise (but also 10x pricier) have a look at Saleae. Otherwise there’s sigrok’s list of supported hardware.

    As for plugging the analyzer to the board, remember that SPI is a shared bus. This means that there’s no need to capture the signal right at the tiny TPM pins if there is a larger SPI component on the board that the hooks can be latched on to. From experience I identified a neighbouring SPI flash, but fortunately all components are marked so it’s rather easy to identify their use by looking up their datasheet.

    SPI has several lines but only 3 can be captured using the DSLogic because otherwise the sampling frequency drops. The 3 most important ones are the clock CLK and the two data lines MOSI and MISO.

    The threshold voltage (level at which the analyzer decides that the line has changed states) should be around half of the signal’s voltage, here the latter was measured at 3.3V so an appropriate threshold is around 1.6V.

    Decoding the captured signal

    There are 3 layers to decode:

    SPI, which is the physical layer
    TIS
    TPM2.0, which contains the VMK

    SPI

    As far as SPI is concerned any logic analyzer should do this properly

    TIS

    TIS, which stands for TPM Interface Specification, is another beast entirely and that’s where I had most of my troubles. I couldn’t find a decoder that worked for my capture and decided to do it “manually”. Short of correctly decoding the data, the libsigrock decoders did at least indicate a rough window for the TPM exchanges which was a welcome tip since each capture has several million bytes of data. Maybe the decoders fail be because the capture is missing Chip Select (CS#) which is required in the TPM specification, maybe because the clock is incorrect, maybe because some bytes are occasionally missing, maybe for some other reason, who knows.

    TPM 2.0

    The TPM command that requests the key be sent back is the TPM2_Unseal command. It is described in part 3 of the TPM 2.0 specification.

    You might ask how I isolated the frames below since no decoder would work. We don’t actually care about the requests happening on MOSI, we’re mostly interested in the responses on the MISO line. As we’ve seen previously the TIS encoding around TPM bytes is rather simple, so the simplest way to isolate all TPM transactions is to filter the raw SPI data using the mask “80 00 00 00 01 ..” and only keep this wildcard last byte.

    In the buffer lies our key, it starts with 5761 and is 32 bytes long.
    Mounting and backdooring the disk

    Mounting the disk live in read/write mode (if you’d rather work offline do a disk copy with dd and then mount this copy using a loop device):

    echo 5761A391DF1F00E1B3852828C6DDA6F9A5FEACE971A4AAAE442518F74AA7FED6E0FC | xxd -r -p > key
    dislocker-fuse -K key /dev/sdd3 ./mnt/
    mount ./mnt/dislocker-file ./mnt2/

    Then the simplest backdoor is to just overwrite the sticky keys program with cmd

    Limitations

    I cannot recommend using the DSLogic for this task:

    a lot of captures were duds and had to be thrown away
    sampling at 3 times the bus speed was barely enough to have a coherent clock and some bytes were missing

    This forced me to spend way too much time to understand the protocols in order to decode the capture. In the end time is money, if you’re an employer reading this just buy a professional logic analyzer for your employees.

    Takeaways

    The use of a discrete (physical) TPM does not increase the security of the system as one would expect and creates the illusion of security.

    To protect against this attack you could either use a fTPM or if the discrete TPM has to be used, then it is necessary to set a PIN or passphrase on BitLocker (as recommmended by Microsoft).

    Reply
  17. Tomi Engdahl says:

    Leaseweb Reports Cloud Disruptions Due to Cyberattack
    https://www.securityweek.com/leaseweb-reports-cloud-disruptions-due-to-cyberattack/

    Dutch cloud company Leaseweb shut down some critical systems last week due to a cyberattack.

    Reply
  18. Tomi Engdahl says:

    Malware & Threats
    3 Malware Loaders Detected in 80% of Attacks: Security Firm
    https://www.securityweek.com/only-3-malware-loaders-detected-in-80-of-attacks-security-firm/

    QakBot, SocGholish, and Raspberry Robin are the three most popular malware loaders, accounting for 80% of the observed incidents.

    Reply
  19. Tomi Engdahl says:

    North Korean APT Hacks Internet Infrastructure Provider via ManageEngine Flaw
    https://www.securityweek.com/north-korean-apt-hacks-internet-infrastructure-provider-via-manageengine-flaw/

    North Korea-linked Lazarus Group exploited a ManageEngine vulnerability to compromise an internet backbone infrastructure provider.

    Reply
  20. Tomi Engdahl says:

    In Other News: Africa Cybercrime Crackdown, Unpatched macOS Flaw, Investor Disclosures

    Weekly cybersecurity news roundup that provides a summary of noteworthy stories that might have slipped under the radar for the week of August 21, 2023.

    https://www.securityweek.com/in-other-news-africa-cybercrime-crackdown-unpatched-macos-flaw-investor-disclosures/

    Facebook expands end-to-end encryption in Messenger

    Facebook parent company Meta is expanding end-to-end encryption (E2EE) testing in Messenger, in preparation for enabling it by default for all one-to-one friends and family chats by the end of the year. To access default E2EE, users will need to update the application to newer builds, the internet giant announced.

    EY analyzes investor cyber disclosures

    EY’s analysis of proxy statements and 10‑K filings over the past six years has shown “steady and significant increases in the percentage of disclosures in certain categories of cyber management and oversight.” The report also shows increases in the frequency of management reporting to the board, cybersecurity as a sought for area of expertise, and in the use of external independent advisors.

    CISA publishes first VDP Platform report

    In its inaugural VDP Platform Annual Report, the US Cybersecurity and Infrastructure Security Agency (CISA) said its VPD platform facilitated the remediation of more than 1,000 vulnerabilities through December 2022, including nearly 200 critical issues.

    Reply
  21. Tomi Engdahl says:

    Chinese-Backed APT ‘Flax Typhoon’ Hacks Taiwan With Minimal Malware Footprint
    https://www.securityweek.com/chinese-backed-apt-flax-typhoon-hacks-taiwan-with-minimal-malware-footprint/

    Microsoft warns that Chinese spies are hacking into Taiwanese organizations with minimal use of malware and by abusing legitimate software.

    Reply
  22. Tomi Engdahl says:

    VPN
    TunnelCrack attack may cause vulnerable VPNs to leak traffic • The Register
    There’s a good chance your VPN is vulnerable to privacy-menacing TunnelCrack attack https://www.theregister.com/2023/08/10/tunnelcrack_vpn/

    A couple of techniques collectively known as TunnelCrack can, in the right circumstances, be used by snoops to force victims’ network traffic to go outside their encrypted VPNs, it was demonstrated this week.

    A team of academics on Tuesday explained how the attacks work, released proof-of-concept exploits, and reckoned “every VPN product is vulnerable on at least one device.”
    The researchers said they tested more than 60 VPN clients, and found that “all VPN apps” on iOS are vulnerable. Android appears to be most secure of the bunch.
    This Week In Security: TunnelCrack, Mutant, And Not Discord
    https://hackaday.com/2023/08/18/this-week-in-security-tunnelcrack-mutant-and-not-discord/

    Up first is a clever attack against VPNs, using some clever DNS and routing tricks. The technique is known as TunnelCrack (PDF), and every VPN tested was vulnerable to one of the two attacks, on at least one supported platform.

    The first attack assumes an attacker is on the same network as the victim, and works by manipulating the victim’s routing tables. How? DHCP. We’re used to DHCP giving out local network addresses, but there’s nothing to prevent giving a client a fully routable address. Now here’s the trick: Many VPN clients make an exception for traffic sent to the local network. An attacker just hands out an address and subnet telling the victim machine that the entire Internet is on the local network. The attacker can capture all that traffic, route it correctly, and the VPN user doesn’t know the difference.

    TunnelCrack
    https://tunnelcrack.mathyvanhoef.com/
    8 August 2023 — TunnelCrack is a combination of two widespread security vulnerabilities in VPNs. An adversary can abuse these vulnerabilities to leak traffic outside the VPN tunnel. Our tests indicate that every VPN product is vulnerable on at least one device. We found that VPNs for iPhones, iPads, MacBooks, and macOS are extremely likely to be vulnerable, that a majority of VPNs on Windows and Linux are vulnerable, and that Android is the most secure with roughly one-quarter of VPN apps being vulnerable. The discovered vulnerabilities can be abused regardless of the security protocol used by the VPN.

    In the LocalNet attack, the adversary acts as a malicious Wi-Fi or Ethernet network, and tricks the victim into connecting to this network. An easy way to accomplish this is by cloning a popular Wi-Fi hotspot such as “starbucks”. Once connected, the adversary assigns a public IP address and subnet to the victim.

    In the ServerIP attack, we abuse the observation that many VPNs don’t encrypt traffic towards the IP address of the VPN server. This is done to avoid re-encryption of packets. As an example, say the VPN server is identified by the hostname vpn.com and the real IP address of the VPN server is 2.2.2.2. Let’s assume the adversary wants to intercept traffic to target.com which has IP address 1.2.3.4.

    We found that the built-in VPN clients of Windows, macOS, and iOS are vulnerable. Android 12 and higher is not affected. A significant number of Linux VPNs are also vulnerable. Additionally, we found that most OpenVPN profiles, when used with a vulnerable VPN client, use a hostname to identify the VPN server and therefore may result in vulnerable behavior. For more details about the ServerIP experiments, see our paper. To prevent the attack, VPN clients should be updated to send all traffic through the VPN tunnel, except traffic generated by the VPN app itself.

    Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing Tables
    https://papers.mathyvanhoef.com/usenix2023-tunnelcrack.pdf

    How to fix TunnelCrack VPN leaks
    What caused a mass vulnerability in VPN clients, and how to keep them working.
    https://www.kaspersky.com/blog/how-to-fix-tunnelcrack-vpn-leak/48788/

    What to do as a VPN user

    Check your VPN service for updates. Peruse the official website and contact technical support. It’s possible that your provider has already updated its applications and settings, so it may be enough to install an update to fix the problem. Note that there may not be an update for iOS due to VPN configuration restrictions on Apple’s side.
    For services based on pure OpenVPN (of which there are plenty) you can use any OpenVPN client in which the vulnerabilities are fixed. The researchers recommend Windscribe.
    Check the exclusions in the VPN service settings. If there is an option to “route local traffic without VPN” or “allow access to local network,” disable it. In other words, all traffic must go through the VPN. The obvious downside of this setting is that you won’t be able to log in from the computer to a local NAS or manage smart devices via Wi-Fi over a local network

    What to do as a corporate VPN administrator

    Check if your VPN clients are exposed to this vulnerability. A manual testing method is described by the researchers on GitHub. Test all versions of VPN clients used in your company for all relevant platforms.

    Testing LocalNet Attacks and ServerIP Attacks
    https://github.com/vanhoefm/vpnleaks#id-testlocalnet

    LocalNet and ServerIP attack
    https://forums.openvpn.net/viewtopic.php?t=36077

    by MatejKovacic » Wed Aug 09, 2023 9:57 am
    TunnelCrack is a combination of two widespread security vulnerabilities in VPNs. An adversary can abuse these vulnerabilities to leak traffic outside the VPN tunnel. Our tests indicate that every VPN product is vulnerable on at least one device.

    https://tunnelcrack.mathyvanhoef.com

    Any suggestion for mitigation?

    I would say it helps using static IP addresses (and not FQDN) and strict certificate checking on a client side. What else?

    TunnelCrack: Widespread design flaws in VPN clients
    https://www.reddit.com/r/VPN/comments/15mgoiv/tunnelcrack_widespread_design_flaws_in_vpn_clients/?rdt=38060

    TunnelCrack, a combination of two widespread security vulnerabilities in VPNs. Although a VPN is supposed to protect all data that a user transmits, our attacks can bypass the protection of a VPN. For instance, an adversary can abuse our vulnerabilities to leak and read user traffic, steal user information, or attack user devices.

    Crappy paper.

    Assumes that OpenVPN clients aren’t using “redirect def1″.

    Assumes that servers aren’t using secure dns for reverse-dns load balancing or direct IPs on the clients.

    Assumes that there are no firewalls.

    These are all known issues that VPN companies have been working on for 10+ years.

    Of course all of the crappy ones are affected.

    The only major finding is that the mitigations don’t seem to be working on iOS.

    I thought it was a useful paper, given that so many clients are vulnerable. I’d like to know if Linux’s built-in (Network Manager) OpenVPN client is vulnerable.

    It would be if you set it up wrong.

    You need to set up redirect def1 to force everything through the tunnel device. If you want to be doubly careful set up firewall rules as well.

    To me, this paper is about as novel as writing a paper about DNS leaks and then testing a bunch of crappy VPNs and talking about what a huge problem it is.

    Reply
  23. Tomi Engdahl says:

    The average Starlink user probably doesn’t spend a lot of time thinking about their hardware after getting the dish aligned and wiring run. To security researchers, however, it’s another fascinating device to tinker with as they reverse-engineer the firmware and try to both find out what makes it tick, as well as how to break it. This is essentially the subject of ‘s article over at Quarkslab as he……

    DIVING INTO STARLINK’S USER TERMINAL FIRMWARE
    https://hackaday.com/2023/08/31/diving-into-starlinks-user-terminal-firmware/?fbclid=IwAR2l-AHY10L7pvcLPDz_w8UydA44htT_g2oynRH4dveaYNOG1nfRyMvbHho

    The user terminal hardware itself is a quite standard AArch64 ARM-based SoC, along with the proprietary communication interface, all of which is controlled by the Linux-based firmware. Dumping the firmware itself was made easy thanks to existing work by researchers at the KU Leuven, involving dumping the contents of the onboard eMMC storage. After this the firmware architecture could be analyzed, which turned out to consist out of mostly C++-based binaries, but with a single big binary for the user front-end written in Go.

    https://blog.quarkslab.com/starlink.html

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*