A team of researchers warns that VPNs are affected by a vulnerability that can be exploited to launch man-in-the-middle (MitM) attacks, enabling threat actors to intercept and redirect traffic.
The research was conducted by representatives of Arizona State University, University of New Mexico, University of Michigan, and the University of Toronto’s Citizen Lab.
The attack technique, named Port Shadow and tracked as CVE-2021-3773, builds on research first presented by Benjamin Mixon-Baca and Jedidiah R. Crandall back in 2021. Both were involved in the new research project on behalf of Arizona State University.
A paper detailing the research was published this week, and Citizen Lab, which often conducts research focusing on online privacy and security, has published a summary.
VPNs, or virtual private networks, are designed for securely accessing remote resources, and they are often used to bypass censorship mechanisms and to hide an individual’s identity online.
The Port Shadow attack enables threat actors to target others who are using the same VPN server. Specifically, VPN servers have a shared resource called a port, with each connection being assigned to a port.
According to the researchers, an attacker can “shadow their own information on a victim’s port as a shared resource”.
“By carefully crafting packets from within the attacker’s own connection to the VPN server and from a remote Internet location controlled by the attacker, it is possible to carry out attacks on other VPN users who are using the same VPN server in a manner that is very similar to the attacks that could be carried out on shared WiFi,” they explained.
The researchers demonstrated how an attacker can leverage Port Shadow to act as an in-path router between the targeted user and the VPN server, enabling them to intercept and redirect encrypted traffic, deanonymize a VPN peer, and conduct port scans.
The Port Shadow attack has been found to work against OpenVPN, WireGuard, and OpenConnect running on Linux or FreeBSD — although FreeBSD is less vulnerable.
“We disclosed this vulnerability to the VPN software developers, Linux, and FreeBSD, but, because of the way the vulnerability works, the mitigation strategy is limited to using specific firewalls rules as opposed to a code fix,” Citizen Lab explained.
The researchers have shared some recommendations for VPN developers and providers that should help prevent Port Shadow attacks. In the case of end users, connecting to a private VPN server is the best way to protect themselves against such attacks. ShadowSocks and Tor are not impacted.
Related: Exploitation of Recent Check Point VPN Zero-Day Soars
Related: New ‘TunnelVision’ Technique Leaks Traffic From Any VPN System
Related: VPN Apps on Google Play Turn Android Devices Into Proxies
