Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label DHCP.. Show all posts

Unpatchable VPN Vulnerability Exposes Data to Attackers: What You Need to Know

 

In a recent revelation that has sent shockwaves through the cybersecurity community, researchers have unearthed a significant vulnerability in virtual private networks (VPNs) dubbed TunnelVision. This flaw, described as deep and unpatchable, poses a substantial threat to data security, allowing malicious actors to intercept sensitive information without leaving a trace. The implications of this discovery are profound, shedding light on the inherent limitations of VPNs as a stand-alone security solution and underscoring the urgent need for a more robust and comprehensive approach to cybersecurity. 

By manipulating DHCP option 121, attackers can reroute data traffic within the encrypted VPN tunnel to a malicious gateway under their control. This interception occurs stealthily, without triggering any alarms or alerts, as the VPN software remains unaware that its contents have been rerouted. Consequently, organizations may remain oblivious to the breach until it's too late, allowing threat actors to siphon off data undetected. 

What makes TunnelVision particularly insidious is its ability to evade detection by traditional security measures. Unlike conventional attacks that leave behind telltale signs of intrusion, TunnelVision operates covertly within the encrypted VPN tunnel, making it virtually invisible to standard intrusion detection systems and VPN monitoring tools. As a result, organizations may be blindsided by the breach, unaware that their data is being compromised until it's too late to take action. 

The discovery of TunnelVision has profound implications for organizations that rely on VPNs to secure their networks and safeguard sensitive information. It exposes the inherent vulnerabilities of VPNs as a single point of failure in the security infrastructure, highlighting the need for a more holistic and layered approach to cybersecurity. Simply put, VPNs were never designed to serve as a comprehensive security solution; they are merely a means of establishing encrypted connections between remote users and corporate networks. 

To mitigate the risks posed by TunnelVision and similar vulnerabilities, organizations must adopt a multifaceted cybersecurity strategy that encompasses strong encryption, enhanced network monitoring, and a zero-trust security model. By encrypting data before it enters the VPN tunnel, organizations can ensure that even if intercepted, the data remains protected from prying eyes. Additionally, implementing rigorous network monitoring protocols can help detect and respond to anomalous behaviour indicative of a breach. 

Moreover, embracing a zero-trust security model, which assumes that no entity—whether inside or outside the network perimeter—is inherently trustworthy, can help organizations better defend against sophisticated attacks like TunnelVision. The discovery of TunnelVision serves as a wake-up call for organizations to reevaluate their cybersecurity posture and adopt a more proactive and comprehensive approach to threat mitigation. By addressing the underlying vulnerabilities in VPNs and implementing robust security measures, organizations can better protect their sensitive data and safeguard against emerging threats in an increasingly hostile digital landscape

New Attack Renders Most VPN Apps Vulnerable

 


A new attack, dubbed TunnelVision, has materialised as a threat to the security of virtual private network (VPN) applications, potentially compromising their ability to protect user data. Researchers have detected vulnerabilities affecting nearly all VPN apps, which could allow attackers to intercept, manipulate, or divert traffic outside of the encrypted tunnel, undermining the fundamental purpose of VPNs.


How TunnelVision Works

TunnelVision exploits a flaw in the Dynamic Host Configuration Protocol (DHCP) server, the system responsible for assigning IP addresses on a network. By manipulating a specific setting called option 121, attackers can divert VPN traffic through the DHCP server, bypassing the encrypted tunnel meant to secure the data. This manipulation allows attackers to intercept, read, drop, or modify the traffic, compromising the user's privacy and the integrity of the VPN connection.


Implications for VPN Users

The consequences of TunnelVision are severe. Despite users trusting that their data is securely transmitted through the VPN, the reality is that some or all of the traffic may be routed outside of the protected connection. This means that sensitive information, such as passwords, financial details, or personal communications, could be exposed to interception or manipulation by unauthorized parties.

The vulnerability affects a wide range of operating systems and devices, with the exception of Android, which does not implement option 121 in its DHCP server. For other operating systems, including Linux, there are no complete fixes available. Even with mitigations in place, such as minimising the effects on Linux, TunnelVision can still exploit side channels to compromise security.

While there is no foolproof solution to the TunnelVision attack, certain measures can reduce the risk. Running the VPN inside a virtual machine or connecting through a cellular device's Wi-Fi network can enhance security by isolating the VPN connection from potential attacks. However, these solutions may not be accessible or practical for all users, highlighting the need for further research and development in VPN security.

TunnelVision represents a harrowing threat to the integrity of VPNs, undermining their ability to protect user data from interception and manipulation. With the potential for widespread exploitation, it is essential for VPN providers and users to be aware of the risks and take appropriate measures to steer clear of potential attacks. 


Vulnerability in DHCP client let hackers take control of network

A critical remote code execution vulnerability that resides in the DHCP client allows attackers to take control of the system by sending malicious DHCP reply packets.

A Dynamic Host Configuration Protocol (DHCP) Client allows a device to act as a host requesting-configuration parameter, such as an IP address from a DHCP server and the DHCP client can be configured on Ethernet interfaces.

In order to join a client to the network, the packer required to have all the TCP/IP configuration information during DHCP Offer and DHCP Ack.

DHCP protocol works as a client-server model, and it is responsible to dynamically allocate the IP address if the user connects with internet also the DHCP server will be responsible for distributing the IP address to the DHCP client.

This vulnerability will execution the remote code on the system that connected with vulnerable DHCP client that tries to connect with a rogue DHCP server.

Vulnerability Details The remote code execution vulnerability exactly resides in the function of dhcpcore.dll called “DecodeDomainSearchListData” which is responsible for decodes the encoded search list option field value.

During the decoding process, the length of the decoded domain name list will be calculated by the function and allocate the memory and copy the decoded list.

According to McAfee research, A malicious user can create an encoded search list, such that when DecodeDomainSearchListData function decodes, the resulting length is zero. This will lead to heapalloc with zero memory, resulting in an out-of-bound write.

The vulnerability has been patched, and it can be tracked as CVE-2019-0547, The patch includes a check which ensures the size argument to HeapAlloc is not zero. If zero, the function exits.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

A Command Injection Critical Vulnerability Discovered In DHCP




The Dynamic Host Configuration Protocol (DHCP) client incorporated in the Red Hat Enterprise Linux has been recently diagnosed with an order infusion vulnerability (command injection ), which is capable enough to  permit a vindictive mime proficient for setting up a DHCP server or generally equipped for satirizing DHCP reactions and responses on a nearby local network to execute summons with root benefits.

The vulnerability - which is denominated as CVE-2018-1111 by Red Hat - was found by Google engineer Felix Wilhelm, who noticed that the proof-of-exploit code is sufficiently little to fit in a tweet. Red Cap thinks of it as a "critical vulnerability", as noted in the bug report, demonstrating that it can be effectively misused by a remote unauthenticated attacker.

DHCP is utilized to appoint an IP address, DNS servers, and other network configuration ascribes to gadgets on a network. DHCP is utilized as a part of both wired and remote systems. Given that the necessities of utilizing this exploit are basically being on a similar network, this vulnerability would be especially concerned on frameworks prone to be associated with distrustful open Wi-Fi systems, which will probably influence Fedora clients on laptops.

Eventually, any non-isolated system that enables gadgets and various other devices to join without explicit administrator approval, which is ostensibly the purpose of empowering DHCP in any case, is at last a hazard.

This bug influences RHEL 6.x and 7x, and in addition to CentOS 6.x and 7.x, and Fedora 26, 27, 28, and Rawhide. Other operating frameworks based over Fedora/RHEL are probably going to be influenced, including HPE's ClearOS and Oracle Linux, as well as the recently interrupted Korora Linux. Since the issue identifies with a Network Manager Combination script, it is probably not going to influence Linux circulations that are not identified with Fedora or RHEL as they aren’t easily influenced.