Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TunnelVision security vulnerability for all VPN apps #374

Closed
TimmyBoi155 opened this issue May 8, 2024 · 5 comments
Closed

TunnelVision security vulnerability for all VPN apps #374

TimmyBoi155 opened this issue May 8, 2024 · 5 comments

Comments

@TimmyBoi155
Copy link

Have IVPN team seen this? Is this being mitigated?

https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/
https://www.leviathansecurity.com/blog/tunnelvision
@stenya
Copy link
Member

stenya commented May 8, 2024

We are aware of this research, and we are investigating the findings before a full response.
@stenya
Copy link
Member

stenya commented May 8, 2024

To exploit the vulnerability in question an attacker needs to connect to the same local network as the target, and act as a DHCP server. This allows them to modify routing tables and control traffic routing. This way they may route traffic outside of the VPN tunnel, bypassing the routing rules defined by the VPN client. As this vulnerability alters the routing table, it is not a discrete attack, if you can check your routing table you can tell whether the network is compromised.

Overview of our findings regarding IVPN apps:

1. IVPN Android app is not affected.

2. IVPN iOS app is potentially affected based on our assessment, and "Block LAN traffic" option enabled in the app does not mitigate the issue.
Actions you can take if you are concerned about the attack:

  • Avoid connecting to public/untrusted networks
  • Do not use IVPN on iOS

3. For IVPN desktop apps we have a firewall functionality that blocks all traffic going outside the VPN interface. With the default configuration, IVPN users are not affected by this vulnerability.

However, the vulnerability might affect you if:

  • Firewall functionality is disabled
  • Firewall is configured to allow LAN communication, or if there are custom firewall exceptions defined
    If you are concerned about this issue we suggest always using the built-in firewall in the desktop apps with default configuration.
@stenya
Copy link
Member

stenya commented May 10, 2024

https://www.reddit.com/r/IVPN/comments/1clwlup/tunnelvision_vulnerability/
@stenya stenya closed this as completed May 10, 2024
@TimmyBoi155
Copy link
Author

TimmyBoi155 commented May 14, 2024
edited
Loading

@stenya Is there any plan at all to fix this??

However, the vulnerability might affect you if:

* Firewall functionality is disabled

* Firewall is configured to allow LAN communication, or if there are custom firewall exceptions defined
  If you are concerned about this issue we suggest always using the built-in firewall in the desktop apps with default configuration.
@stenya
Copy link
Member

stenya commented May 14, 2024

Actually, the IVPN Firewall was designed to protect users from such types of attacks, and it is effectively doing its job. It is enabled by default. Users should be aware of the potential risks when they manually disable the firewall.

We are consistently seeking improvements. However, at present, there is no superior solution that would not impact user usability.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
2 participants
@stenya @TimmyBoi155