Inferring and hijacking VPN-tunneled TCP connections

On December 8th, 2019, security researcher William Tolley published vulnerabilities found in multiple Linux and Unix operating systems, allowing the attacker some access to the VPN. An attacker using this technique could compromise SSL VPN, IPsec, and WireGuard (a VPN application) connections. The attacker must be local to the vulnerable system and view all incoming and outgoing traffic to the system. The attacker uses packet-size analyses to determine the VPN packets and attempts to take over a connection by spoofing SYN/ACK packets. When successful, an attacker could compromise the VPN and potentially interfere with protected traffic.

The Firebox uses an SSL VPN client for Management Tunnels and BOVPN-Over-TLS. It is not affected by this vulnerability.

For this attack to work, a specially crafted packet is sent to the victim. When the crafted packet contains the correct IP, the vulnerable system will respond with a reset. The Firebox does not respond to this packet no matter if the virtual IP address is correct or not.

While the vulnerability does not affect WatchGuard devices, it could still compromise VPN connections to a Firebox if the client OS is vulnerable.