Invisible Adversaries: A Systematic Study of Session Manipulation Attacks on VPNs
This exposes critical security flaws in widely used VPNs, affecting users relying on them for privacy and censorship evasion.
The paper identified vulnerabilities in VPN connection tracking frameworks that allow attackers on the same server to launch denial-of-service attacks, hijack TCP connections, or inject forged DNS responses, with experiments showing all tested frameworks and eight of nine major VPN providers were vulnerable.
Virtual Private Networks (VPNs) are widely used for censorship evasion and traffic protection. VPN users expect to be provided with adequate security protection, and at the same time not be affected by other users connected to the same VPN server, which can be illustrated as the non-interference property. However, in this paper, we have identified several vulnerabilities that violate this property, specifically within the connection tracking frameworks of VPN servers, stemming from shared resource misuse and insufficient validation of session state transitions. We present three session manipulation attacks targeting TCP and UDP traffic tunneled through VPNs. The attacker who only connects to the same VPN server can launch denial-of-service attacks, hijack TCP connections of other clients, or inject forged DNS responses into their queries. We evaluate these attacks against five popular connection tracking frameworks across different OSes and nine major commercial VPN providers. Experimental results reveal that all frameworks and eight providers are vulnerable to at least one of the attacks. We have responsibly disclosed our findings with countermeasures, resulting in 19 assigned CVEs/CNVDs and acknowledgments from the communities and providers.