Tunneling Protocol Vulnerabilities Put 4.2 Million Hosts at Risk, Including VPNs and Routers

January 20, 2025

New findings highlight security flaws in several tunneling protocols, which could potentially expose 4.2 million hosts to cyberattacks. "Internet hosts that accept tunneling packets without verifying the sender's identity can be hijacked to perform anonymous attacks and provide access to their networks," according to a study by Top10VPN, in collaboration with Mathy Vanhoef, a professor and researcher at KU Leuven. The hosts at risk include VPN servers, ISP home routers, core internet routers, mobile network gateways, and content delivery network (CDN) nodes. The most affected countries are China, France, Japan, the U.S., and Brazil.

Successful exploitation of these vulnerabilities could allow an attacker to misuse a vulnerable system as one-way proxies or to conduct denial-of-service (DoS) attacks. The CERT Coordination Center (CERT/CC) stated in an advisory, "An adversary can abuse these security vulnerabilities to create one-way proxies and spoof source IPv4/6 addresses. Vulnerable systems may also allow access to an organization's private network or be abused to perform DDoS attacks."

The flaws originate from tunneling protocols like IP6IP6, GRE6, 4in6, and 6in4, primarily used to facilitate data transfers between two disconnected networks. These protocols do not authenticate and encrypt traffic without adequate security protocols like Internet Protocol Security (IPsec). This lack of additional security measures paves the way for an attacker to inject malicious traffic into a tunnel, a variation of a flaw that was previously flagged in 2020 (CVE-2020-10136).

The newly identified vulnerabilities have been assigned CVE identifiers for the affected protocols. Simon Migliano from Top10VPN explained the potential exploit, "An attacker simply needs to send a packet encapsulated using one of the affected protocols with two IP headers. The outer header contains the attacker's source IP with the vulnerable host's IP as the destination. The inner header's source IP is that of the vulnerable host IP rather than the attacker. The destination IP is that of the target of the anonymous attack."

When the vulnerable host receives the malicious packet, it automatically strips the outer IP address header and forwards the inner packet to its destination. As the source IP address on the inner packet is that of the vulnerable but trusted host, it is able to bypass network filters.

As a countermeasure, it is suggested to use IPSec or WireGuard to provide authentication and encryption, and only accept tunneling packets from trusted sources. At the network level, implementing traffic filtering on routers and middleboxes, performing Deep packet inspection (DPI), and blocking all unencrypted tunneling packets are recommended. "The impact on victims of these DoS attacks can include network congestion, service disruption as resources are consumed by the traffic overload, and crashing of overloaded network devices," said Migliano. "It also opens up opportunities for further exploitation, such as man-in-the-middle attacks and data interception."

Latest News

• Urgent Call to Secure Systems Against Ongoing Attacks Exploiting Microsoft Outlook RCE Vulnerability
• Critical Authentication Bypass Vulnerability in SonicOS: Proof-of-Concept Revealed
• CISA Adds Apple's Flaw to Known Exploited Vulnerabilities Catalog
• Apple Patches First Actively Exploited Zero-Day Vulnerability of the Year
• Critical Security Flaw Identified in Meta's Llama Framework, Exposing AI Systems to Potential Remote Code Execution