-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello!
Vulnerabilities affecting multiple VPN softwares, including OpenVPN and
OpenVPN-NL are going to be presented at the Usenix Security conference
today. If the local network is operated by a malicious party, the VPN
user's routing table can be manipulated so that data that should go
through the VPN is sent as plaintext.
The OpenVPN developers are currently considering ways to mitigate these
vulnerabilities. For now, users can mitigate them as follows:
* Specify the VPN server by an IP-address, not by a hostname. If that
is not possible, authenticate DNS traffic in some way (e.g., DNSSEC,
DNS over HTTPS) *before* setting up the VPN tunnel.
* Do not connect to untrusted networks. VPNs do not offer perfect
protection against malicious local network operators.
* If you have to use an untrusted network, add the block-local flag
to redirect-gateway in the client configuration. (Note that this
disables all traffic to the local network, so it cannot be added to
every configuration.)
You can find an explanation of these attacks, including a link to the
paper on https://tunnelcrack.mathyvanhoef.com. I include a brief summary
below.
Typically, routing when running a VPN looks as follows:
* All traffic not matching any other rules is sent through the VPN
* Traffic to an address in the local network is *not* sent through the
VPN. This way, machines in the local network can still be accessed.
* Traffic to the VPN server is sent out to the router.
# LocalNet Attack
In the LocalNet Attack, a malicious DHCP server claims that a public IP
address is in the local network. For example, if the attacker wanted to
leak traffic to wikipedia.org (91.198.174.192) it would claim that the
local network is 91.198.174.0/24. Of course, traffic to websites will
usually be encrypted, but it will still leak whether the website is
visited or not.
This can be prevented by adding the block-local flag to redirect-options
(see manual), but it will also block access to any machines in the local
network when using the VPN.
# ServerIP Attack
The ServerIP Attack affects clients that have the VPN server specified
by a hostname rather than an IP address. The attacker spoofs the DNS
response to make the client use an IP under their control as VPN server.
Let's say this IP address is 1.2.3.4. This server proxies the VPN
traffic to the actual VPN server so that the user does not notice
anything is wrong.
Now, the attacker can spoof the DNS responses for other hosts to send
traffic to the same server at 1.2.3.4. Because this is the same address
as the VPN server, this traffic bypasses the VPN and goes directly to
the router.
This attack can be prevented by using a hard-coded IP address for the
VPN server, or by authenticating DNS in some way (e.g., DNSSEC or DNS
over HTTPS) *before* setting up the tunnel.
Best regards,
Max Fillinger
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEXj3Vjj5AbsDlPfHO5IsYow7qaagFAmTTWuIACgkQ5IsYow7q
aag9iAwAibWTVheFr+2b3IZk5i1TLymzo0yUSsB71MoCwmOBryPEofOxfFUHvI5/
2W9Gfufjpeq1UGUZAeAi82vk1NABkoem4W687/StoVH4/MGv4zJNNOAwL2Qe7LdF
AQh72tZRarVQj2dGWTds93Imu6Zj1eOzAKIsVbRbuzIsVjRGBBkDMF8E77CL6Rft
Iz8Yt8stWMBixiGoiCCipCwHyB9hD2f+wlXByy+3Rg699239sRoQFBtsGwAl24AL
F7paRni0cDGIjE/gq7TiFpmFKfnoEjEFmyxeZBYzab7uQER3T1pmxa2b7dNCCz5H
gK1zOWaelBUq/A25o9xldLCiO0lKB/uk1mvdYPwulKL7tMvklGPJme7DEc43oTFu
jK4ANV3pjKKFJmg2Opo3xJlFX1fyhDWXsKXqda6iWXVLK1tbkmXMqQmDZ7NSO2x4
4jn5QJboZ+Aa8cyYrOyZTlfx0UePAgv3Hj+zDukOWmb8N+XTlMFTWYWOiMdlGG81
ikOTofUE
=0k2M
-----END PGP SIGNATURE-----
