PP has dubbed the flaw ‘Port Fail’ since it only affects providers that offer port forwarding (the flaw does not affect PP users). According to the report, the flaw undermines a VPN’s ability to mask a user’s location and identity by exposing his/her real IP address. However, this information may be accessed only if the attacker meets a specific set of criteria.
First, the attacker must also have an active VPN account with the same provider as the user. Second, the attacker must know the user’s VPN exit IP address, which can be obtained through a torrent or IRC client, or by misleading the user by encouraging him/her to use a website under the attacker’s control. Third, the attacker needs to have set up port forwarding; it doesn’t matter if the user has port forwarding activated.
Here is an example of an attack using these criteria:
- The user connects to VPN server: e.g. “126.96.36.199”;
- The user’s routing table will resemble the following: 0.0.0.0/0 -> 10.0.0.1 (internal VPN gateway IP) 188.8.131.52/32 -> 192.168.0.1 (old default gateway);
- The attacker connects to the same server (184.108.40.206) and then obtains the user’s exit IP address through a torrent/IRC or other means;
- The attacker activates port forwarding on server 220.127.116.11 using the example port of 12345;
- The user is misled into visiting 18.104.22.168:12345 and clicking on an embedded link;
- Once the user clicks on the link, the attacker will be able to access the user’s real IP address through the “22.214.171.124/32 -> 192.168.0.1” VPN router.
PP has tested the flaw with nine reputable providers that offer port forwarding. Five of these were found vulnerable to the flaw, including Private Internet Access (PIA), Ovpn.to, and nVPN. They have all been notified prior to the publication of the report to give them time to implement fixes. PP also made it clear that many other VPN providers are likely to be at risk.
After being alerted to the flaw, PIA announced they had “implemented firewall rules at the VPN server level to block access to forwarded ports from clients’ real IP addresses. The fix was deployed on all our servers within 12 hours of the initial report”.
PIA rewarded PP $5,000 as a token of gratitude for their prompt notification of the problem, and in line with their Whitehat Alert Security Program.
How to prevent Port Fail IP address leak
There are a couple of ways VPN users can protect themselves against the Port Fail flaw. Users can implement multiple IP addresses by setting incoming connections to IP1 with exit connections set to ip2-ipx and port forwarding configured to ip2-ipx. Users can also use the VPN client to set the server side firewall rule, which will divert access from the client’s real IP to port forwards that are not the user’s own.
If you are a VPN user and are concerned about the flaw, we recommend that you contact your provider at the earliest opportunity.