https://portswigger.net/daily-swig/vpn-users-unmasked-by-zero-day-vulnerability-in-virgin-media-routers

 
      
The Daily Swig
Data Breaches Cyber-attacks Vulnerabilities Bug Bounties Infosec
Research Deep Dives [ ]

  * About
  * Data Breaches
  * Cyber-attacks
  * Vulnerabilities
  * Bug Bounties
  * Infosec Research
  * Deep Dives
  *  
     
     
     
     
     

VPN users unmasked by zero-day vulnerability in Virgin Media routers

Adam Bannister 20 September 2021 at 11:03 UTC
Updated: 20 September 2021 at 16:09 UTC
Vulnerabilities Zero-day VPN
Twitter WhatsApp Facebook Reddit LinkedIn Email

Disclosure comes two years after privacy-busting flaw was discovered

eee

A zero-day vulnerability in Virgin Media Super Hub 3 routers enables
attackers to unmask the true IP addresses of VPN users, security
researchers have revealed.

Fidus Information Security, a UK penetration testing consultancy, has
published details of the flaw nearly two years after first alerting
Virgin Media, a British telco, which referred Fidus to Liberty
Global, its parent company.

Fidus' R&D team said it initially delayed disclosure for 12 months at
the vendor's request, but subsequent attempts to contact Virgin Media
and Liberty Global then failed to elicit responses.

However, Virgin Media has told The Daily Swig that it is currently
working on a "technical fix" for what it also described it as an
"edge-case issue, potentially impacting only a very small subset of
customers" who use VPNs.


Read more of the latest data privacy news and breaches


Researchers were able to mount a DNS rebinding attack that revealed a
VPN user's IP address "by [the user] simply visiting a [malicious]
webpage for a few seconds", reads a blog post drafted by Fidus in
March but eventually published last week.

DNS rebinding attacks weaponize a victim's browser by making it a
proxy for attacking private networks.

Privacy implications

The researchers successfully de-anonymized devices whose IP addresses
were masked by most "market leading VPNs", Fidus' R&D team told The
Daily Swig.

However, some VPN providers repelled the attack by blocking access to
local IP addresses by default.

"Some blocked the attack by 'accident' by preventing LAN traffic but
when this was turned off, as many people do, they instantly became
vulnerable," said Fidus.


DON'T FORGET TO READ Mozilla offers transparency by publishing VPN
audit


"The privacy implications are quite severe in this scenario due to
the silent nature of the vulnerability," said Fidus. "In theory, it
could be utilised on any popular (likely compromised) webpage and be
used to unmask users who are browsing using a VPN.

"Other, more unlikely, scenarios are nation-state or law-enforcement
capable bodies using this to unmask both criminals but also those
utilising a VPN solution for their own safety."

However, a Virgin Media spokesperson said that "a very specific set
of circumstances would need to be in place for a customer to be
impacted, meaning that the risk to them is very low."

Hardware supply chain

The researchers tested the exploit against the ARRIS TG2492, but
Fidus believes the vulnerability probably works against all related
models.

Liberty Global has deployed the ARRIS series of DOCSIS fiber routers
through multiple internet service providers that it owns worldwide,
said Fidus.


DEEP DIVES Software supply chain attacks - everything you need to
know


The ARRIS brand is actually owned by network infrastructure provider
CommScope, but Fidus believes Liberty Global owns the firmware.

"They were really vague with all the information which really didn't
help us in any shape or form," said Fidus. "We did request
information for who else to pass it to and that was never given to
us."

Timeline

Liberty Global was first alerted to the vulnerability
(CVE-2019-16651) on October 20, 2019.

On February 21, 2020, the company requested a year-long delay to
public disclosure - which Fidus agreed to.

However, three subsequent requests for updates from Liberty Global -
on December 9 and 21 of 2020, then March 15, 2021 - failed to elicit
a response from the vendor.

Although Virgin Media has yet to complete remediation, the company
said: "We have strong security measures in place to protect our
network and keep our customers secure. We are not aware of any
customers being affected by this issue and they do not need to take
any action."

However, Fidus advises users to "firewall traffic to the router
(which obviously isn't overly user friendly) or ensure LAN traffic on
a VPN is blocked" if they want to protect themselves.


YOU MIGHT ALSO LIKE Critical encryption vulnerability found in secure
communications platform Matrix

Vulnerabilities Zero-day VPN Research DNS Hardware Privacy
Surveillance Telecommunications Hacking News Hacking Techniques
Browsers UK Europe Industry News Pen Testing Supply Chain Attacks
Adam Bannister

Adam Bannister

@Ad_Nauseum74

Twitter WhatsApp Facebook Reddit LinkedIn Email
This page requires JavaScript for an enhanced user experience.
Latest Posts

US policy change

Healthcare apps must follow breach notification rules 20 September
2021 US policy change Healthcare apps must follow breach notification
rules

On camera

RCE vulnerability in Hikvision devices could lead to network
compromise 20 September 2021 On camera RCE vulnerability in Hikvision
devices could lead to network compromise

EventBuilder data breach

Misconfiguration exposes personal details of 100,000 event
registrants 20 September 2021 EventBuilder data breach 
Misconfiguration exposes personal details of 100,000 event
registrants

Related stories

This page requires JavaScript for an enhanced user experience.

US policy change

Healthcare apps must follow breach notification rules 20 September
2021 US policy change Healthcare apps must follow breach notification
rules

On camera

RCE vulnerability in Hikvision devices could lead to network
compromise 20 September 2021 On camera RCE vulnerability in Hikvision
devices could lead to network compromise

EventBuilder data breach

Misconfiguration exposes personal details of 100,000 event
registrants 20 September 2021 EventBuilder data breach 
Misconfiguration exposes personal details of 100,000 event
registrants

VPN users unmasked by zero-day vulnerability in Virgin Media routers

20 September 2021 VPN users unmasked by zero-day vulnerability in
Virgin Media routers Disclosure comes two years after privacy-busting
flaw was discovered

Burp Suite

Web vulnerability scanner Burp Suite Editions Release Notes

Vulnerabilities

Cross-site scripting (XSS) SQL injection Cross-site request forgery
XML external entity injection Directory traversal Server-side request
forgery

Customers

Organizations Testers Developers

Company

About PortSwigger News Careers Contact Legal Privacy Notice

Insights

Web Security Academy Blog Research The Daily Swig
PortSwigger Logo Follow us

(c) 2021 PortSwigger Ltd.