Cybersecurity researchers from Leviathan Security have flagged a potentially major security concern around VPN services.
The team recently uncovered a vulnerability that forces almost all such apps to send and receive traffic outside the VPN tunnel, which is essentially their entire purpose.
The findings on the flaw, named TunnelVision, were published in a blog post, which also states that so far, there is no straightforward solution to the problem. It further claims that the vulnerability existed since at least 2002, and is highly likely that hackers found it, and abused it in the wild, already.
TunnelVision
As per the blog post, if the attacker has control over the network the victim is connecting to, they can configure the DHCP server that allocates IP addresses. Malicious entities connecting as unprivileged users can set up their own DHCP server, as well, to the same result.
This feature is called “option 121”, and allows the server to gain priority over the default routing rules that send VPN traffic through a local IP address that triggers the encrypted tunnel. Consequently, all of the traveling data is going to the DHCP server itself, won’t be encrypted by the VPN, and will be viewable to the attacker.
VPN apps running on the majority of popular operating systems these days are all vulnerable, the researchers said. They’ve observed one mitigation, and seen a fix on Linux. However, the mitigation opens up the possibility of a side-channel attack, which is a major vulnerability in its own right.
Removing support for DHCP is not the solution either, “because this could break Internet connectivity in some legitimate cases,” they added. “The strongest recommendation we have is for VPN providers to implement network namespaces on operating systems that support them,” the researchers concluded. Android is the only OS unaffected by this flaw since it doesn’t implement option 121 to begin with.
