Researchers from the Citizen Lab have presented a paper expanding the threat model of a 2021 attack impacting popular VPN software dubbed “Port Shadow.”
Presented by Benjamin Mixon-Baca at the Privacy Enhancing Technologies Symposium (PETS) 2024 in Bristol, UK, the paper details how the “Port Shadow” attack, and the underlying vulnerability which is tracked as CVE-2021-3773, still affects major VPN protocols such as OpenVPN, WireGuard, and OpenConnect on Linux and FreeBSD systems.
The Port Shadow attack
The port shadow attack, first documented roughly three years ago, concerns an exploit that significantly extends the reach and capabilities of attackers targeting VPN users. At its core, this attack manipulates the shared resources on a VPN server, specifically, the ports used by the connection tracking framework.
The mechanism of the attack compromises specific components as listed below:
- Shared resource exploitation: In a typical VPN setup, multiple users connect to the same VPN server, and each connection is assigned a unique port. These ports are part of the connection tracking framework, which manages how data packets are routed between the users' devices and the internet.
- Crafting malicious packets: An attacker, who is also connected to the same VPN server, can craft malicious data packets. These packets are designed to exploit the connection tracking framework by mimicking legitimate traffic and manipulating the shared port assignments.
- Hijacking connections: By carefully injecting these crafted packets, the attacker can redirect traffic intended for another user to themselves. This effectively makes the attacker an in-path router, intercepting and potentially altering the data being transmitted between the victim and the VPN server.
- Deanonymizing and interfering: Once in this position, the attacker can deanonymize the victim's connection, perform port scans, inject malicious DNS responses, or even redirect the victim to malicious websites. The attack is not limited by the attacker's physical location but rather by their ability to connect to the same VPN server as the victim.
Citizen Lab
“We found that Linux/Netfilter + (OpenVPN and WireGuard), which a large fraction of VPN services use, has the highest susceptibility to these attacks regardless of client platform (PC, Android, and iOS).”
Citizen Lab
Risk mitigation
The researchers demonstrated that VPN servers using OpenVPN or WireGuard today can still be exploited through the port shadow attack, allowing attackers to hijack connections, inject malicious packets, or perform denial-of-service attacks.
Neither OpenVPN nor WireGuard have addressed the risks that arise from CVE-2021-3773 because the flaw isn't part of their software stacks. The Linux kernel team did attempt to fix the issue in December 2021, but the fixing commit was reverted due to backwards compatibility issues in March 2022, and the flaw remains unaddressed since them. Citizen Lab says CVE-2021-3773 is still exploitable in the most recent Linux kernel version.
To mitigate the risk, VPN vendors should randomize source port selection to reduce predictability in port assignment, implement specific firewall rules that block unauthorized port usage, and limit concurrent connections to lower numbers.
For end users, since the discovered flaws that make the port shadow attack possible lie on the server and not the client app, there's only a little they can do to reduce the risk. The researchers recommend connecting to private VPN servers or using non-vulnerable protocols like Shadowsocks or Tor. Ultimately, it's up to the users to do due diligence to ensure their software is safe against CVE-2021-3773.
VPN services like NordVPN, ExpressVPN, and Surfshark typically utilize the mentioned protocols, but CitizenLabs notes that they are not vulnerable to CVE-2021-3773. It is unclear what the status is with other VPN vendors, so users are recommended to ask their providers directly about implemented fixes and mitigations.
German Probe Finds Data Brokers Exposed 3.6 Billion Location Points
Leave a Reply