DIVING INTO STARLINK’S USER TERMINAL FIRMWARE
https://hackaday.com/2023/08/31/diving-into-starlinks-user-terminal-firmware/?fbclid=IwAR2l-AHY10L7pvcLPDz_w8UydA44htT_g2oynRH4dveaYNOG1nfRyMvbHho

The user terminal hardware itself is a quite standard AArch64 ARM-based SoC, along with the proprietary communication interface, all of which is controlled by the Linux-based firmware. Dumping the firmware itself was made easy thanks to existing work by researchers at the KU Leuven, involving dumping the contents of the onboard eMMC storage. After this the firmware architecture could be analyzed, which turned out to consist out of mostly C++-based binaries, but with a single big binary for the user front-end written in Go.

https://blog.quarkslab.com/starlink.html

A couple of techniques collectively known as TunnelCrack can, in the right circumstances, be used by snoops to force victims’ network traffic to go outside their encrypted VPNs, it was demonstrated this week.

A team of academics on Tuesday explained how the attacks work, released proof-of-concept exploits, and reckoned “every VPN product is vulnerable on at least one device.”
The researchers said they tested more than 60 VPN clients, and found that “all VPN apps” on iOS are vulnerable. Android appears to be most secure of the bunch.
This Week In Security: TunnelCrack, Mutant, And Not Discord
https://hackaday.com/2023/08/18/this-week-in-security-tunnelcrack-mutant-and-not-discord/

Up first is a clever attack against VPNs, using some clever DNS and routing tricks. The technique is known as TunnelCrack (PDF), and every VPN tested was vulnerable to one of the two attacks, on at least one supported platform.

The first attack assumes an attacker is on the same network as the victim, and works by manipulating the victim’s routing tables. How? DHCP. We’re used to DHCP giving out local network addresses, but there’s nothing to prevent giving a client a fully routable address. Now here’s the trick: Many VPN clients make an exception for traffic sent to the local network. An attacker just hands out an address and subnet telling the victim machine that the entire Internet is on the local network. The attacker can capture all that traffic, route it correctly, and the VPN user doesn’t know the difference.

TunnelCrack
https://tunnelcrack.mathyvanhoef.com/
8 August 2023 — TunnelCrack is a combination of two widespread security vulnerabilities in VPNs. An adversary can abuse these vulnerabilities to leak traffic outside the VPN tunnel. Our tests indicate that every VPN product is vulnerable on at least one device. We found that VPNs for iPhones, iPads, MacBooks, and macOS are extremely likely to be vulnerable, that a majority of VPNs on Windows and Linux are vulnerable, and that Android is the most secure with roughly one-quarter of VPN apps being vulnerable. The discovered vulnerabilities can be abused regardless of the security protocol used by the VPN.

In the LocalNet attack, the adversary acts as a malicious Wi-Fi or Ethernet network, and tricks the victim into connecting to this network. An easy way to accomplish this is by cloning a popular Wi-Fi hotspot such as “starbucks”. Once connected, the adversary assigns a public IP address and subnet to the victim.

In the ServerIP attack, we abuse the observation that many VPNs don’t encrypt traffic towards the IP address of the VPN server. This is done to avoid re-encryption of packets. As an example, say the VPN server is identified by the hostname vpn.com and the real IP address of the VPN server is 2.2.2.2. Let’s assume the adversary wants to intercept traffic to target.com which has IP address 1.2.3.4.

We found that the built-in VPN clients of Windows, macOS, and iOS are vulnerable. Android 12 and higher is not affected. A significant number of Linux VPNs are also vulnerable. Additionally, we found that most OpenVPN profiles, when used with a vulnerable VPN client, use a hostname to identify the VPN server and therefore may result in vulnerable behavior. For more details about the ServerIP experiments, see our paper. To prevent the attack, VPN clients should be updated to send all traffic through the VPN tunnel, except traffic generated by the VPN app itself.

Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing Tables
https://papers.mathyvanhoef.com/usenix2023-tunnelcrack.pdf

How to fix TunnelCrack VPN leaks
What caused a mass vulnerability in VPN clients, and how to keep them working.
https://www.kaspersky.com/blog/how-to-fix-tunnelcrack-vpn-leak/48788/

What to do as a VPN user

Check your VPN service for updates. Peruse the official website and contact technical support. It’s possible that your provider has already updated its applications and settings, so it may be enough to install an update to fix the problem. Note that there may not be an update for iOS due to VPN configuration restrictions on Apple’s side.
For services based on pure OpenVPN (of which there are plenty) you can use any OpenVPN client in which the vulnerabilities are fixed. The researchers recommend Windscribe.
Check the exclusions in the VPN service settings. If there is an option to “route local traffic without VPN” or “allow access to local network,” disable it. In other words, all traffic must go through the VPN. The obvious downside of this setting is that you won’t be able to log in from the computer to a local NAS or manage smart devices via Wi-Fi over a local network

What to do as a corporate VPN administrator

Check if your VPN clients are exposed to this vulnerability. A manual testing method is described by the researchers on GitHub. Test all versions of VPN clients used in your company for all relevant platforms.

Testing LocalNet Attacks and ServerIP Attacks
https://github.com/vanhoefm/vpnleaks#id-testlocalnet

LocalNet and ServerIP attack
https://forums.openvpn.net/viewtopic.php?t=36077

by MatejKovacic » Wed Aug 09, 2023 9:57 am
TunnelCrack is a combination of two widespread security vulnerabilities in VPNs. An adversary can abuse these vulnerabilities to leak traffic outside the VPN tunnel. Our tests indicate that every VPN product is vulnerable on at least one device.

https://tunnelcrack.mathyvanhoef.com

Any suggestion for mitigation?

I would say it helps using static IP addresses (and not FQDN) and strict certificate checking on a client side. What else?

TunnelCrack: Widespread design flaws in VPN clients
https://www.reddit.com/r/VPN/comments/15mgoiv/tunnelcrack_widespread_design_flaws_in_vpn_clients/?rdt=38060

TunnelCrack, a combination of two widespread security vulnerabilities in VPNs. Although a VPN is supposed to protect all data that a user transmits, our attacks can bypass the protection of a VPN. For instance, an adversary can abuse our vulnerabilities to leak and read user traffic, steal user information, or attack user devices.

Crappy paper.

Assumes that OpenVPN clients aren’t using “redirect def1″.

Assumes that servers aren’t using secure dns for reverse-dns load balancing or direct IPs on the clients.

Assumes that there are no firewalls.

These are all known issues that VPN companies have been working on for 10+ years.

Of course all of the crappy ones are affected.

The only major finding is that the mitigations don’t seem to be working on iOS.

I thought it was a useful paper, given that so many clients are vulnerable. I’d like to know if Linux’s built-in (Network Manager) OpenVPN client is vulnerable.

It would be if you set it up wrong.

You need to set up redirect def1 to force everything through the tunnel device. If you want to be doubly careful set up firewall rules as well.

To me, this paper is about as novel as writing a paper about DNS leaks and then testing a bunch of crappy VPNs and talking about what a huge problem it is.

Microsoft warns that Chinese spies are hacking into Taiwanese organizations with minimal use of malware and by abusing legitimate software.

Weekly cybersecurity news roundup that provides a summary of noteworthy stories that might have slipped under the radar for the week of August 21, 2023.

https://www.securityweek.com/in-other-news-africa-cybercrime-crackdown-unpatched-macos-flaw-investor-disclosures/

Facebook expands end-to-end encryption in Messenger

Facebook parent company Meta is expanding end-to-end encryption (E2EE) testing in Messenger, in preparation for enabling it by default for all one-to-one friends and family chats by the end of the year. To access default E2EE, users will need to update the application to newer builds, the internet giant announced.

EY analyzes investor cyber disclosures

EY’s analysis of proxy statements and 10‑K filings over the past six years has shown “steady and significant increases in the percentage of disclosures in certain categories of cyber management and oversight.” The report also shows increases in the frequency of management reporting to the board, cybersecurity as a sought for area of expertise, and in the use of external independent advisors.

CISA publishes first VDP Platform report

In its inaugural VDP Platform Annual Report, the US Cybersecurity and Infrastructure Security Agency (CISA) said its VPD platform facilitated the remediation of more than 1,000 vulnerabilities through December 2022, including nearly 200 critical issues.

North Korea-linked Lazarus Group exploited a ManageEngine vulnerability to compromise an internet backbone infrastructure provider.