Research Unveils 4.2 Million Hosts Exposed to Cyberattacks by Unsecured Tunneling Protocols

Security experts discovered a new set of tunnel protocol vulnerabilities that could expose millions of devices to a broad range of cyberattacks.

Tunneling packets used to hijack internet hosts

According to the research, the issue revolves around internet hosts that fail to verify the sender's identity when handling tunneling packets.

This paves the way for host takeovers, which could allow attackers to breach vulnerable networks and weaponize the hosts for anonymized attacks.

The study, by Top10VPN in collaboration with KU Leuven professor and security researcher Mathy Vanhoef, revealed that the vulnerability affects as many as 4.2 million hosts.

VPNs, home routers, and CDN nodes affected

ISP home routers, VPNs, mobile network gateways, content delivery network (CDN) nodes, and core internet users are on the list of devices susceptible to the vulnerability.

As the research pointed out, Brazil, China, France, Japan, and the US are among the most affected countries.

In an attack scenario, threat actors could exploit the vulnerability to turn a susceptible device into a one-way proxy and even use it to launch denial-of-service (DoS) attacks.

The anatomy of the flaw

The vulnerability stems from the way tunneling protocols such as 4in6, 6in4, IP6IP6 and GRE6 facilitate data transfers between networks without authentication.

Further complicating matters, these protocols typically lack adequate security protocols like IPSec when encrypting traffic.

Perpetrators could even abuse these shortcomings to inject malicious traffic into a tunnel by sending a packet with two IP headers, encapsulated with one of the affected protocols.

Mitigating against attacks exploiting the flaw

Researchers recommend using robust protocols like IPSec or WireGuard to defend against attacks exploiting the vulnerability. In doing so, users would enforce authentication and encryption, filtering out tunneling packets from unknown sources.

Traffic filtering on routers and middleboxes, deep packet inspection (DPI) and blocking all unencrypted tunneling packets are also highly encouraged as mitigation steps.