Port shadow: Yet another VPN weakness ripe for exploit

A new flaw in virtual private networks (VPNs) was reported last week at a security conference. The flaw, discovered by a collection of academic and industry researchers, has to do with a vulnerability in how VPN servers assign TCP/IP communication ports and use this to attack their connection tracking feature.

This flaw, called port shadowing, is yet another weakness in VPNs but very different from the Tunnelvision problem reported on by another group of researchers in May. One of the researchers is Jeffrey Knockel of the Citizen Lab from the University of Toronto. Citizen Lab was part of the effort to investigate the Pegasus spying software in 2023 that was found on the phones of various journalists and activists.

How port shadow works

Port shadowing allows an attacker to intercept and redirect encrypted traffic and learn more about the origins and connections operating across the VPN itself. It is an old issue that was written about several years ago and deals with a flaw that identifies which applications are communicating through a VPN by their network port. Port shadowing depends on Network Address Translation (NAT) and how the VPN software consumes NAT resources to initiate connection requests, allocates IP addresses, and sets up network routes. If exploited, it could be used to conduct man-in-the-middle attacks. As with Tunnelvision, exploited users have no indication that their sessions have been compromised; other than that, the two vulnerabilities use different aspects of the VPN infrastructure and operate differently.

Port shadow is a product of the inherent design of VPNs that offer privacy enhancing features by aggregating the network traffic of numerous users together. This traffic sharing makes the exploit possible. “If the VPN server were not shared with other VPN users, then the attacks would not be possible,” the authors wrote in the paper. That is somewhat ironic and yet a demonstration of how complex the security world has become — and why it is important for IT managers to stay on top of these discoveries to maintain their network security.

How attackers can use port shadow

What the new research identified was how port shadow combined with the low-level network connection tracking activities could be leveraged by bad actors. This feature typically manages which internal operating system processes are using specific network connections. The team studied 58 configurations of operating systems and connection tracking frameworks using the three major underlying VPN protocols: OpenVPN, OpenConnect, and WireGuard. They assumed three important conditions that would enable the potential for attacks:

1. The attacker knows the target user’s public IP address
2. The attacker knows the VPN server’s IP address
3. The VPN server’s entry and exit IP addresses are the same.

They found that the vulnerability wasn’t specific to the VPN protocol but how the underlying systems were configured to allow the port shadow to happen. The paper goes into detail about why these three conditions are quite common, especially with corporate VPN servers.

The core discovery by the researchers is that connection tracking features don’t always isolate processes from each other, especially with those VPNs that run on top of Linux and make use of Netfilter implementations, a typical internal connection tracking routine. Without this isolation, connections could be shared across other machine resources. “This approach can pose potential security risks to any applications dependent on these frameworks,” stated the paper. They found that if an attacker was using the same VPN server, they could de-anonymize a valid user’s connection, decrypt and snoop their network traffic, and scan a user’s ports to do more damage. Again, this points to a potential issue among corporate VPN users that are sharing the same VPN infrastructure.

Part of the problem is that Netfilter and other tools such as IPFW and IPfilter aren’t well documented for this particular use case. “The documentation doesn’t explicitly discuss the behavior when used by IP obfuscating VPNs,” wrote the authors, who list the various system details and use cases, and included a table (page 10 or 118) with the vulnerabilities found across all three VPN protocols and across two typical Linux-based OSes.

Not all public VPN providers are susceptible to port shadow, including three of the more popular ones: NordVPN, ExpressVPN, and Surfshark, all of which block port shadow. NordVPN confirmed to CSO that they aren’t vulnerable.

Samuele Kaplun is a VPN Lead from Proton, a Swiss VPN provider. He told CSO that “Proton VPN is not affected by the port shadowing vulnerability. Our setup ensures different entry and exit IP addresses, preventing attackers from exploiting this issue. Additionally, the complexity of the attack, requiring knowledge of both the victim’s public IP and VPN server, makes it impractical. Even if attempted, the only result would be a failed VPN connection.”

“We recommend that VPN developers/providers ensure that source port selection is randomized, block VPN clients from selecting the listening port of the VPN server as a source port and limit the number of concurrent VPN connections by a single user,” said the research. “For end users, the most foolproof mitigation is to connect to private VPN servers to which only they have access or trust or to switch to non-vulnerable protocols such as Shadowsocks or Tor instead of OpenVPN or WireGuard.” The authors provide a few ways to implement a firewall rule on corporate-owned VPN servers using the Linux command line to prevent port shadowing attacks.