VPN users worldwide face a new threat known as port shadowing, which enables attackers to intercept and manipulate connections, potentially directing users to malicious sites. Researchers from multiple universities presented this finding at the Privacy Enhancing Technologies Symposium 2024 in England, ongoing until the 2024/07/20.
The vulnerability affects OpenVPN, WireGuard, and OpenConnect software running on Linux and FreeBSD.
In port shadowing attacks, attackers can send specially crafted packets to the VPN server from their own connection or a remote location on the Internet, potentially impacting other users on the same server. The researchers coined the term “port shadowing”to describe how attackers conceal their information within a victim’s port, facilitating activities like eavesdropping, port scanning, or connection hijacking, as outlined in their 18-page paper.
VPN servers utilize a connection tracking framework to manage traffic between connected users, offering significant control over packet handling. However, this framework’s shared nature among all connected users can be exploited by malicious actors to redirect packets in unauthorized ways, as highlighted by the researchers.
“While VPNs generally enhance security, certain vulnerabilities like port shadowing can expose users to risks such as eavesdropping or connection hijacking,” the researchers warned. Currently, no security update is available for this issue, but VPN providers can mitigate risks by implementing firewall rules. Alternatively, users can adopt protocols like ShadowSocks or Tor as temporary solutions.
Upon discovery, the issue was already known within OpenVPN, identified by the CVE-2021-3773 bug number, which has a severity rating of 9.8 out of 10. Notably, VPN providers such as NordVPN, ExpressVPN, and Surfshark, which utilize OpenVPN or WireGuard, are not vulnerable to CVE-2021-3773.
Source: Ciso Advisor