A team of security researchers from the University of New Mexico has disclosed a new vulnerability that could allow attackers to probe devices and determine various details about the VPN (Virtual Private Network) connection status of a user.
The security vulnerability (CVE-2019-14899) appears to affect most GNU/Linux distributions, besides FreeBSD, OpenBSD, Android, iOS and macOS systems. William J. Tolley, one of the security researchers, explained in a post that the vulnerability could let attackers to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and also sniff out whether or not there is an active connection to a given website.
“Most of the Linux distributions we tested were vulnerable, especially Linux distributions that use a version of systemd pulled after November 28th of last year which turned reverse path filtering off. However, we recently discovered that the attack also works against IPv6, so turning reverse path filtering on isn’t a reasonable solution,” added Tolley.
This vulnerability is said to work against popular VPN solutions including OpenVPN, WireGuard, and IKEv2/IPSec. However, it has not been thoroughly tested against tor. Researchers are of the view that it is not vulnerable as it operates in a SOCKS layer and includes authentication and encryption that happens in userspace.
Though the security researchers are yet to publish a detailed paper on their findings, they did share three mitigations with IT administrators.