Skip to main content

Client-Side Vulnerabilities in Commercial VPNs

Part of the Lecture Notes in Computer Science book series (LNSC,volume 11875)

Abstract

Internet users increasingly rely on commercial virtual private network (VPN) services to protect their security and privacy. The VPN services route the client’s traffic over an encrypted tunnel to a VPN gateway in the cloud. Thus, they hide the client’s real IP address from online services, and they also shield the user’s connections from perceived threats in the access networks. In this paper, we study the security of such commercial VPN services. The focus is on how the client applications set up VPN tunnels, and how the service providers instruct users to configure generic client software. We analyze common VPN protocols and implementations on Windows, macOS and Ubuntu. We find that the VPN clients have various configuration flaws, which an attacker can exploit to strip off traffic encryption or to bypass authentication of the VPN gateway. In some cases, the attacker can also steal the VPN user’s username and password. We suggest ways to mitigate each of the discovered vulnerabilities.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-35055-0_7
  • Chapter length: 17 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   54.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-35055-0
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   69.99
Price excludes VAT (USA)

References

  1. EasySSTP. https://mac.softpedia.com/get/Network-Admin/EasySSTP.shtml

  2. Identity parsing in StrongSwan. https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing

  3. Known L2TP/IPsec preshared keys. https://gist.github.com/kennwhite/1f3bc4d889b02b35d8aa

  4. OpenVPN. https://openvpn.net/

  5. OpenVPN management interface notes. https://openvpn.net/community-resources/management-interface/

  6. SoftEther VPN project. https://www.softether.org/

  7. sstp-client. https://sourceforge.net/projects/sstp-client/

  8. Strongswan. https://www.strongswan.org/

  9. CVE-2018-3952 (2018). https://nvd.nist.gov/vuln/detail/CVE-2018-3952

  10. CVE-2018-4010 (2018). https://nvd.nist.gov/vuln/detail/CVE-2018-4010

  11. Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., Levkowetz, H.: Extensible authentication protocol (EAP). RFC 3748 (2004)

    Google Scholar 

  12. Appelbaum, J., Ray, M., Koscher, K., Finder, I.: vpwns: virtual pwned networks. In: USENIX Workshop on Free and Open Communications on the Internet. USENIX Association (2012)

    Google Scholar 

  13. Atkinson, R., Kent, S.: Security architecture for the Internet protocol. RFC 4301 (1998)

    Google Scholar 

  14. Bui, T., Rao, S.P., Antikainen, M., Bojan, V.M., Aura, T.: Man-in-the-machine: exploiting ill-secured communication inside the computer. In: USENIX Security 2018. USENIX Association (2018)

    Google Scholar 

  15. Cisco: Introduction to Cisco IPsec technology. https://www.cisco.com/c/en/us/td/docs/net_mgmt/vpn_solutions_center/2-0/ip_security/provisioning/guide/IPsecPG1.html

  16. Fazal, L., Ganu, S., Kappes, M., Krishnakumar, A.S., Krishnan, P.: Tackling security vulnerabilities in VPN-based wireless deployments. In: ICC (2004)

    Google Scholar 

  17. Felsch, D., Grothe, M., Schwenk, J., Czubak, A., Szymanek, M.: The dangers of key reuse: practical attacks on IPsec IKE. In: USENIX Security 2018. USENIX Association (2018)

    Google Scholar 

  18. Hamzeh, K., Pall, G., Verthein, W., Taarud, J., Little, W., Zorn, G.: Point-to-point tunneling protocol (PPTP). RFC 2637 (1999)

    Google Scholar 

  19. Horst, M., Grothe, M., Jager, T., Schwenk, J.: Breaking PPTP VPNs via RADIUS encryption. In: Foresti, S., Persiano, G. (eds.) CANS 2016. LNCS, vol. 10052, pp. 159–175. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-48965-0_10

    CrossRef  Google Scholar 

  20. Hurst, R., Palekar, A.: Microsoft EAP CHAP extensions. IETF Draft (2007)

    Google Scholar 

  21. Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., Kivinen, T.: Internet key exchange protocol version 2 (IKEv2). RFC 7296 (2014)

    Google Scholar 

  22. Marlinspike, M., Ray, M.: Divide and conquer: Cracking MS-CHAPv2 with a 100% success rate (2012). https://www.cloudcracker.com/blog/2012/07/29/cracking-ms

  23. Microsoft: Routing and remote access service. https://docs.microsoft.com/en-us/windows/desktop/RRAS/

  24. Microsoft: RRAS’s VpnStrategy. https://msdn.microsoft.com/en-us/library/ee808236.aspx

  25. Microsoft: Secure Socket Tunneling Protocol (SSTP). https://msdn.microsoft.com/en-us/library/cc247338.aspx

  26. Mudge, Schneier, B.: Cryptanalysis of microsoft’s point-to-point tunneling protocol (PPTP). In: Proceedings of the 5th ACM Conference on Communications and Computer Security. ACM Press (1998)

    Google Scholar 

  27. Nafeez, A.: Compression Oracle attacks on VPN networks. Blackhat, USA (2018)

    Google Scholar 

  28. Pall, G., Zorn, G.: Microsoft point-to-point encryption (MPPE) protocol. RFC 3078 (2001)

    Google Scholar 

  29. Pereira, R., Beaulieu, S.: Extended Authentication within ISAKMP/Oakley (XAUTH). IETF Draft (1999)

    Google Scholar 

  30. Perta, V.C., Barbera, M.V., Tyson, G., Haddadi, H., Mei, A.: A glance through the VPN looking glass: IPv6 leakage and DNS hijacking in commercial VPN clients. In: Proceedings on Privacy Enhancing Technologies (2015)

    CrossRef  Google Scholar 

  31. Schneier, B., Mudge, Wagner, D.: Cryptanalysis of Microsoft’s PPTP authentication extensions (MS-CHAPv2). In: Secure Networking–CQRE. LNCS, vol. 1740, pp. 192–203. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-46701-7_17

    Google Scholar 

  32. Simpson, W.: The point-to-point protocol (PPP). RFC 1661 (1994)

    Google Scholar 

  33. Wood, D., Stoss, V., Chan-Lizardo, L., Papacostas, G.S., Stinson, M.E.: Virtual private networks. In: International Conference on Private Switching Systems and Networks (1988)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Thanh Bui .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Bui, T., Rao, S., Antikainen, M., Aura, T. (2019). Client-Side Vulnerabilities in Commercial VPNs. In: Askarov, A., Hansen, R., Rafnsson, W. (eds) Secure IT Systems. NordSec 2019. Lecture Notes in Computer Science(), vol 11875. Springer, Cham. https://doi.org/10.1007/978-3-030-35055-0_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-35055-0_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-35054-3

  • Online ISBN: 978-3-030-35055-0

  • eBook Packages: Computer ScienceComputer Science (R0)