Invisible Adversaries: A Systematic Study of Session Manipulation Attacks on VPNs

TL;DR

This paper uncovers vulnerabilities in VPN connection tracking frameworks that allow session manipulation attacks, leading to denial-of-service, hijacking, and DNS injection, affecting multiple providers and OSes.

Contribution

It systematically analyzes session manipulation vulnerabilities in VPNs, presents three new attack methods, and evaluates their impact across popular frameworks and providers.

Findings

All tested frameworks are vulnerable to at least one attack.

Eight out of nine VPN providers are susceptible to session manipulation.

Responsible disclosure led to 19 CVEs and community acknowledgments.

Abstract

Virtual Private Networks (VPNs) are widely used for censorship evasion and traffic protection. VPN users expect to be provided with adequate security protection, and at the same time not be affected by other users connected to the same VPN server, which can be illustrated as the non-interference property. However, in this paper, we have identified several vulnerabilities that violate this property, specifically within the connection tracking frameworks of VPN servers, stemming from shared resource misuse and insufficient validation of session state transitions. We present three session manipulation attacks targeting TCP and UDP traffic tunneled through VPNs. The attacker who only connects to the same VPN server can launch denial-of-service attacks, hijack TCP connections of other clients, or inject forged DNS responses into their queries. We evaluate these attacks against five popular connection tracking frameworks across different OSes and nine major commercial VPN providers. Experimental results reveal that all frameworks and eight providers are vulnerable to at least one of the attacks. We have responsibly disclosed our findings with countermeasures, resulting in 19 assigned CVEs/CNVDs and acknowledgments from the communities and providers.