"Port Shadow" Attack Still Affects VPN Software

Researchers from Citizen Lab have discovered that the “Port Shadow” attack is still a problem for some VPN users, putting privacy and potentially security at risk. It was first discovered in 2021, and has since been found to impact VPN users across a range of devices and platforms.

The “Port Shadow” attack concerns a vulnerability in certain VPN implementations that allows a bad actor — potentially someone else using the same VPN server — to hijack and manipulate another user’s connection, intercepting and tampering with data in the process. As the researchers write in a paper made public on Monday, “These new attacks can allow an attacker to redirect a victim’s traffic to the attacker’s machine, perform denial-of-service attacks on the victim, and even exploit other vulnerabilities in the VPN server to deanonymize the victim.”

The attack is made possible by shared resources within the VPN server, specifically the “connection tracking frameworks” used by major OSes (Linux and FreeBSD) to manage VPN traffic. By manipulating these components, an attacker can effectively trick the VPN server into sending data in directions it shouldn’t, the researchers say.

“We call this attack a port shadow because the attacker shadows their own information as a shared resource on the victim’s port,” the researchers explain in a FAQ. “The port shadow vulnerability is a fundamental issue with the connection tracking frameworks in (Linux and FreeBSD) that allows a malicious user to hijack the connections of other users.”

The researchers found that the Port Shadow attack can affect users of VPN software using the OpenVPN and WireGuard protocols, which is a substantial chunk of the market. Even though OpenVPN and WireGuard themselves weren’t directly vulnerable, the researchers discovered that — thanks to the Port Shadow attack — attackers could exploit other weaknesses in the VPN server, potentially leading to more serious consequences.

The team developed proof-of-concept exploits that allowed them to redirect traffic to their machines from users of certain VPN services, including NordVPN, ProtonVPN, VyprVPN, ExpressVPN, Mullvad, IVPN, HMA, Surfshark, CyberGhost, TorGuard, Private Internet Access, and Hide.me. And the exploits didn’t require physical proximity — just that an attacker somehow be on the same network as the victim.

“These vulnerabilities and attacks were found on the server side of VPN software and thus cannot be mitigated by the user,” the researchers wrote. “We disclosed our findings to the VPN providers and the developers of the affected VPN server software. In response, some VPN providers are switching to non-vulnerable server implementations and implementing firewall-level mitigations.”

The researchers note that the Port Shadow flaw — specifically the vulnerability in the connection tracking frameworks (which they say has a CVSS severity rating of 7.5, or “high severity”) — was first identified and assigned a CVE number, CVE-2021-3773, in 2021. But while there are now mitigations available, the researchers say that the underlying issue isn’t entirely fixed.

In fact, the researchers found that the Port Shadow attack is still exploitable in the most recent versions of the Linux kernel. Further, the vulnerabilities they discovered are specific to the VPN server and can’t be fully addressed by client-side updates.

The researchers advise that users connect to private VPN servers or switch to non-vulnerable VPN protocols like Shadowsocks. And they point out that some VPN providers have already taken steps to protect their users — the providers mentioned above, for instance.

It’s worth noting that the researchers didn’t systematically test the top VPN services to determine whether they were vulnerable. But they say that the attacks they developed could interfere with or cause issues for legitimate VPN clients.

The Port Shadow attack is similar to but distinct from a set of attacks discovered by the same team last year. The so-called “Vulcan and ”Vulcan Plus” attacks were vulnerabilities in the VPN server itself that allowed an attacker to fully compromise the server and spy on users’ traffic, in some cases deanonymizing users.

Those attacks, which were found to impact the VPN services of more than 200 companies, were patched by the providers after they were disclosed in May 2023.

The researchers behind the Port Shadow attack — Benjamin Mixon-Baca, Andrei Kurilin, Mark Hau, and Jeffrey Knockel — plan to present the findings at the PETS 2024 Privacy-Enhancing Technologies Symposium in Bristol, U.K. this week.