The important thing that the researchers found is that the connection tracking features do not always distinguish the processes from each other, especially with those VPNs that work on top of Linux and use the implementation of Netfilter, a standard way to track internal connections. Despite this separation, the connection may be shared by all other machine resources. “This approach may pose a security risk to any applications that depend on these frameworks,” the paper said. They found that if an attacker uses the same VPN server, they can anonymize a valid user connection, decrypt and inspect their network traffic, and scan the user’s ports to do more damage. Again, this points to a potential problem between corporate VPN users sharing the same VPN infrastructure.
Part of the problem is that Netfilter and other tools like IPFW and IPfilter are poorly written for this particular use case. “The documents do not clearly discuss the behavior when used by IP obfuscating VPNs,” write the authors, who list various system specifications and use cases, including a table (page 10 or 118) with weaknesses found in all three VPNs. protocols and across both Linux-based OSes.
Not all public VPN providers block port shadowing, including three of the most popular: NordVPN, ExpressVPN, and Surfshark, all of which block port shadowing. NordVPN has confirmed to CSO that it is not vulnerable.
Source link