Source: www.infosecurity-magazine.com – Author: 1
A Reddit user known as “Educational-Map-8145” has exposed a critical zero-day flaw affecting the Linux client of Atlas VPN, a popular virtual private network service.
The vulnerability, which impacts the latest version of the client (1.0.3), allows malicious websites to disconnect the VPN and reveal the user’s IP address, raising concerns about user privacy and security.
According to the Reddit post published last week, the vulnerability stems from an API endpoint within the Atlas VPN Linux Client that listens on localhost (127.0.0.1) through port 8076.
This API provides a command-line interface for various functions, including disconnecting a VPN session via a specific URL. Notably, this API lacks any form of authentication, making it susceptible to abuse by any program running on the user’s computer, including web browsers.
“Depending on the infrastructure setup, often a VPN sits at the perimeter, allowing access to internal and external networks,” explained Mayuresh Dani, manager of threat research at Qualys.
“Security solutions that are in line trust the incoming and outgoing traffic. Endpoint VPN clients are […] on all devices today, increasing the attack surface. This positioning makes VPNs an attractive target for both external and internal threat actors.”
The exploit code, shared by the researcher, demonstrates the issue, enabling any website to trigger the VPN disconnection and subsequently leak the user’s home IP address.
As security experts warn of the risk, Atlas VPN users are advised to exercise caution when browsing the web until a patch or solution is provided to address this critical vulnerability.
“This vulnerability appears to be caused by the assumption that Cross-Origin Resource Sharing [CORS] protection would prevent it, but CORS is designed to prevent data theft and loading of outside resources,” commented Shawn Surber, senior director of technical account management at Tanium.
“In this scenario, the attack uses a simple command instead, which slips through the CORS gauntlet – and in this case, turns off the VPN, immediately exposing the user’s IP and therefore general location.”
Read more about VPN-focussed attacks: VPN and RDP Exploitation the Most Common Attack Technique
Despite the potential security risk, attempts to contact Atlas VPN’s support for responsible disclosure or information on a bug bounty program by Educational-Map-8145 have reportedly gone unanswered.
In an effort to obtain an official statement regarding the security concern, Infosecurity reached out to Atlas VPN for comment; however, as of the time of writing, no response has been received.
Editorial image credit: Ralf Liebhold / Shutterstock.com
Original Post URL: https://www.infosecurity-magazine.com/news/zero-day-flaw-exposes-atlas-vpn/
Category & Tags: –
