Abstract
Internet users increasingly rely on commercial virtual private network (VPN) services to protect their security and privacy. The VPN services route the client’s traffic over an encrypted tunnel to a VPN gateway in the cloud. Thus, they hide the client’s real IP address from online services, and they also shield the user’s connections from perceived threats in the access networks. In this paper, we study the security of such commercial VPN services. The focus is on how the client applications set up VPN tunnels, and how the service providers instruct users to configure generic client software. We analyze common VPN protocols and implementations on Windows, macOS and Ubuntu. We find that the VPN clients have various configuration flaws, which an attacker can exploit to strip off traffic encryption or to bypass authentication of the VPN gateway. In some cases, the attacker can also steal the VPN user’s username and password. We suggest ways to mitigate each of the discovered vulnerabilities.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
EasySSTP. https://mac.softpedia.com/get/Network-Admin/EasySSTP.shtml
Identity parsing in StrongSwan. https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing
Known L2TP/IPsec preshared keys. https://gist.github.com/kennwhite/1f3bc4d889b02b35d8aa
OpenVPN. https://openvpn.net/
OpenVPN management interface notes. https://openvpn.net/community-resources/management-interface/
SoftEther VPN project. https://www.softether.org/
sstp-client. https://sourceforge.net/projects/sstp-client/
Strongswan. https://www.strongswan.org/
CVE-2018-3952 (2018). https://nvd.nist.gov/vuln/detail/CVE-2018-3952
CVE-2018-4010 (2018). https://nvd.nist.gov/vuln/detail/CVE-2018-4010
Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., Levkowetz, H.: Extensible authentication protocol (EAP). RFC 3748 (2004)
Appelbaum, J., Ray, M., Koscher, K., Finder, I.: vpwns: virtual pwned networks. In: USENIX Workshop on Free and Open Communications on the Internet. USENIX Association (2012)
Atkinson, R., Kent, S.: Security architecture for the Internet protocol. RFC 4301 (1998)
Bui, T., Rao, S.P., Antikainen, M., Bojan, V.M., Aura, T.: Man-in-the-machine: exploiting ill-secured communication inside the computer. In: USENIX Security 2018. USENIX Association (2018)
Cisco: Introduction to Cisco IPsec technology. https://www.cisco.com/c/en/us/td/docs/net_mgmt/vpn_solutions_center/2-0/ip_security/provisioning/guide/IPsecPG1.html
Fazal, L., Ganu, S., Kappes, M., Krishnakumar, A.S., Krishnan, P.: Tackling security vulnerabilities in VPN-based wireless deployments. In: ICC (2004)
Felsch, D., Grothe, M., Schwenk, J., Czubak, A., Szymanek, M.: The dangers of key reuse: practical attacks on IPsec IKE. In: USENIX Security 2018. USENIX Association (2018)
Hamzeh, K., Pall, G., Verthein, W., Taarud, J., Little, W., Zorn, G.: Point-to-point tunneling protocol (PPTP). RFC 2637 (1999)
Horst, M., Grothe, M., Jager, T., Schwenk, J.: Breaking PPTP VPNs via RADIUS encryption. In: Foresti, S., Persiano, G. (eds.) CANS 2016. LNCS, vol. 10052, pp. 159–175. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-48965-0_10
Hurst, R., Palekar, A.: Microsoft EAP CHAP extensions. IETF Draft (2007)
Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., Kivinen, T.: Internet key exchange protocol version 2 (IKEv2). RFC 7296 (2014)
Marlinspike, M., Ray, M.: Divide and conquer: Cracking MS-CHAPv2 with a 100% success rate (2012). https://www.cloudcracker.com/blog/2012/07/29/cracking-ms
Microsoft: Routing and remote access service. https://docs.microsoft.com/en-us/windows/desktop/RRAS/
Microsoft: RRAS’s VpnStrategy. https://msdn.microsoft.com/en-us/library/ee808236.aspx
Microsoft: Secure Socket Tunneling Protocol (SSTP). https://msdn.microsoft.com/en-us/library/cc247338.aspx
Mudge, Schneier, B.: Cryptanalysis of microsoft’s point-to-point tunneling protocol (PPTP). In: Proceedings of the 5th ACM Conference on Communications and Computer Security. ACM Press (1998)
Nafeez, A.: Compression Oracle attacks on VPN networks. Blackhat, USA (2018)
Pall, G., Zorn, G.: Microsoft point-to-point encryption (MPPE) protocol. RFC 3078 (2001)
Pereira, R., Beaulieu, S.: Extended Authentication within ISAKMP/Oakley (XAUTH). IETF Draft (1999)
Perta, V.C., Barbera, M.V., Tyson, G., Haddadi, H., Mei, A.: A glance through the VPN looking glass: IPv6 leakage and DNS hijacking in commercial VPN clients. In: Proceedings on Privacy Enhancing Technologies (2015)
Schneier, B., Mudge, Wagner, D.: Cryptanalysis of Microsoft’s PPTP authentication extensions (MS-CHAPv2). In: Secure Networking–CQRE. LNCS, vol. 1740, pp. 192–203. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-46701-7_17
Simpson, W.: The point-to-point protocol (PPP). RFC 1661 (1994)
Wood, D., Stoss, V., Chan-Lizardo, L., Papacostas, G.S., Stinson, M.E.: Virtual private networks. In: International Conference on Private Switching Systems and Networks (1988)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Bui, T., Rao, S., Antikainen, M., Aura, T. (2019). Client-Side Vulnerabilities in Commercial VPNs. In: Askarov, A., Hansen, R., Rafnsson, W. (eds) Secure IT Systems. NordSec 2019. Lecture Notes in Computer Science(), vol 11875. Springer, Cham. https://doi.org/10.1007/978-3-030-35055-0_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-35055-0_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-35054-3
Online ISBN: 978-3-030-35055-0
eBook Packages: Computer ScienceComputer Science (R0)