Researchers have identified a serious vulnerability affecting VPN providers with port-forwarding services that allows an attacker to obtain the real IP address of a user’s computer.
VPN service provider Perfect Privacy has published a post about its findings on its blog:
“We have discovered a vulnerability in a number of providers that allows an attacker to expose the real IP address of a victim,” explains the company. “‘Port Fail’ affects VPN providers that offer port forwarding and have no protection against this specific attack.”
Perfect Privacy goes on to note that while its users are protected, this particular vulnerability affects all users of many other VPN services because only the attacker – not the victim – needs to enable port forwarding in order to exploit the bug.
In order to successfully unveil a victim’s IP address, the attacker must do three things:
- They must have an active account with the same VPN provider as the victim.
- The attacker must set up port forwarding.
- They must know the victim’s exit IP address.
This lattermost condition can be satisfied via IRC or torrent client. Alternatively, as noted by Jeremy Kirk of IT World, an attacker can trick a victim into visiting a malicious website (such as by embedding a hyperlinked image on a website), at which point they can then scrape the user’s IP.
Prior to the publication of its findings, Perfect Privacy tested the bug with nine prominent VPN providers, five of which proved to be vulnerable. These companies were subsequently contacted last week and given a chance to patch the flaw before Perfect Privacy made its research public.
One of those providers contacted was Private Internet Access (PIA), which has all ready patched the issue and stated that the fix was relatively simple and implemented shortly after it was notified.
PIA’s Amir Malik told Techworm what it had done to rectify the issue:
“We implemented firewall rules at the VPN server level to block access to forwarded ports from clients’ real IP addresses. The fix was deployed on all our servers within 12 hours of the initial report.
PIA also paid Perfect Privacy $5,000 USD for discovering the flaw.
While Perfect Privacy tested “Port Fail” with a few other VPN provider services, not all providers were analyzed. In reality, there are hundreds of VPN service providers in operation, many of which offer port-forwarding services. This could mean that an untold number of users, including those of Bittorrent (see Darren Martyn’s analysis here), could be vulnerable to having their IP addresses exposed.
Going forward, affected VPNs should either have multiple IP addresses, allow incoming connections to ip1, and allow exit connections/have port forwardings on ip2-ipx, or they should create a server side firewall rule that blocks the client’s IP address from port forwardings that are not the client’s own.
In the meantime, concerned users might want to investigate whether their VPN provider offers port forwarding services and, if so, whether they have patched “Port Fail”. If not, direct them to Perfect Privacy’s research.
No one wants their IP address exposed to an attacker, so the more VPN providers who get on board with this patch, the better.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
8 comments on “Port fail – Serious privacy vulnerability threatens VPNs with port-forwarding capabilities”
It's not a vulnerability, it's how the Internet works. There's no good reason why this vulnerability should even exist; it's shoddy and unprofessional VPN services who have allowed this. Any competent administrator would know of this 'vulnerability'.
Decent VPN services like AirVPN are configured to a very high standard. People should thoroughly evaluate any VPN before deciding to use it.
Here's a discussion:
Bob is correct; it's bad configuration and nothing else. And yes, you should definitely evaluate a VPN before using it (you should evaluate everything before using it!).
Thank you, Bob, for pointing that out.
As one of PIA's customers, I'm aware that this happened (today's email) … however… I wasn't aware this had been a possible attack vector all along, and well-known to the VPN community (e.g. to the AirVPN.org founder). That makes me rethink my relationship with PIA – I just may need to make a move. Not because my system got (ever) compromised (as far as I know :-) … but simply because not preventing this in the first place says something about the general policies in place at a large VPN supplier like PIA. No USD 5,000 bounty can distract my attention from that basic problem.
So thanks again, for pointing me to the link. It's very helpful in understanding the world just a tad better.
I *was* a customer of PIA VPN but I left because of their abysmal attitude towards security. They fail in several areas, to name but a few:
I remember asking them about this particular vulnerability some time ago but they didn't feel it was a 'realistic' channel of attack.
They're not prepared to comment on how often they renegotiate their keys. AirVPN does so by default every 60 minutes although you can unilaterally lower this (e.g. every 15 / 20 / <insert number here> minutes, but not >60 minutes). This adds significant forward secrecy protection and I don't know why PIA aren't interested in adding it.
The client for PIA is very poor, by contrast look at AirVPN's proprietary 'Eddie' client. Google it for some screenshots. Basically you can whitelist/blacklist particular servers, connect to different countries, change OpenSSL configurations etc.
PIA have some issues with WebRTC stun vulnerabilities and open ports that really shouldn't be there.
PIA have some element of injection on their links, i.e. within their DNS configuration.
The list is endless.
The 'downside' (from a practical perspective) with ultra secure services like AirVPN is that they don't support PPTP, L2TP, IPSec for the simple reason they are extremely insecure and have been compromised. The only potential use for these protocols is on legacy mobile devices where privacy isn't an issue – i.e. you're using the VPN purely for geolocation avoidance.
There's plenty of alternative VPN providers out there. My advice is do your research and choose a company who care about privacy and security and also not one based in a 'dangerous' country.
Thank you for your extensive reply. Much appreciated!!
Would you care to hand me some (trustworthy) links where I can delve into the many PIA issues, just to make myself familiar with those?
Will look into the "Eddie" thing, reminds me of some dog from Frasier. Good 'ole days :)
I'll try to answer your questions as best as I can. Because I don't have time to research the other VPN providers I'll use AirVPN as a comparison to Private Internet Access (as I've used both) – there are others and I suggest you do your research.
The problem will "trustworthy" links is they're few and far between. They're either too technical for most people (and I don't know how mathematically-inclined you are) or they're anecdotal testimonies from their users. I'll try my best to push you in the right direction.
1 – Key negotiation;
"The key difference is that Air uses the 60 minute window for reconnections so that forward secrecy can remain intact. PIA does not in all cases. We have discussed this aspect before, but never got any clear information besides what we can see in the OpenVPN config. And it is not enabled there by default. I believe someone said they tried enabling it in the client, but it did not work."
"Perfect Forward Secrecy through Diffie-Hellman key exchange DHE. After the initial key negotiation, re-keying is performed every 60 minutes (this value can be lowered unilaterally by the client)"
[Background reading why forward secrecy is necessary]
2 – Naturally, client preference is subjective. Have a play with both but look out for the difference in features. Being able to observe visually the server load in Eddie works for me as does the ability to whitelist/blacklist servers and/or countries.
Also look at the difference in supported operating systems and perhaps more importantly whether they support the native OpenVPN client (AirVPN do which is useful on iOS). OpenVPN is open source.
One crucial difference with AirVPN is they use certificates instead of a static username and password in isolation. Last time I checked, PIA used only a password.
3 – WebRTC
Visit this website, if your real IP address is displayed then you're at risk. Better VPNs mitigate against this by hiding your IP. You can take steps within your browser to prevent this from being shown but there are other channels of attack. Therefore by using a 'fake' IP in-place of your real IP obfuscates it from a potential attack using another vector.
*** More to follow, I'm out of 'characters' in this post ***
4 – Regarding 'injection',
"Our DNS servers are neutral, do not ever inject or alter the requests (other services resolve to search results, try to fix typo etc). Using our DNS allows our customers to use our anti-geolocation discrimination features. For example, visit a website that allows only United States connections from a Netherlands VPN server."
Take a look at how PIA approach this issue.
5 – Here's a simple explanation between the differences with PPTP, L2TP, IKEV2 etc.
Bottom line is that OpenVPN is the most secure, the comments about it being "fiddly to set up" are entirely subjective. Some VPNs use entirely proprietary software; the better ones allow you to use the 'Big Daddy' – OpenVPN OR their proprietary software (if indeed they write it).
Google The Intercept and have a look at the relevant information about how VPNs are being attacked.
6 – I used Private Internet Access for a couple of months to evaluate the service. I found them unresponsive and I found a number of other issues too lengthy to document here. The alarm bells started ringing even more loudly when they started to offer "year long" substantially discounted subscriptions.
Personally I wasn't satisfied with the level of security they offered and they were (and still are) badly implementing basic stuff – like this port-forwarding vulnerability. Any competent administrator would never have allowed something that's been known for 15 years to be overlooked.
If you want 'proof' of the other issues the easiest method is to do your own research by inspecting your traffic and looking at things like key exchange, implementation of the encryption libraries etc.
7 – Companies based in countries like the USA (or soon to be the UK) where 'gagging' orders exist should be avoided. They can be required under various methods and instruments to implement backdoors or secret logging. You can find fuller information all over the internet by looking at comparison charts.
Hi, I have a free account on cyberghost.. does anyone know if they were affected by this? thanks