New Vulnerability Lets Attackers Sniff or Hijack VPN Connections

Researchers have discovered a security flaw that allows a malicious actor to sniff or hijack VPN connections. The flaw is tracked as CVE-2019-14899 and impacts Android, Linux, macOS, and other Unix-based operating systems. It resides in “the networking stacks of multiple Unix-based operating systems, and more specifically, in how the operating systems reply to unexpected network packet probes.”

Attackers can use this vulnerability to discover numerous details about the victim’s VPN connection status. They can conduct attacks on the same network, a malicious access point, or through a router. According to the researchers, an attacker is also able to determine the exact packet sequence in individual VPN connections.

According to ZDNet and the security research team, the vulnerability is exploitable on the following operating systems:

Ubuntu 19.10 (systemd)

Fedora (systemd)

Debian 10.2 (systemd)

Arch 2019.05 (systemd)

Manjaro 18.1.1 (systemd)

Devuan (sysV init)

MX Linux 19 (Mepis+antiX)

Void Linux (runit)

Slackware 14.2 (rc.d)

Deepin (rc.d)

FreeBSD (rc.d)

OpenBSD (rc.d)

OpenVPN, WireGuard, IKEv2/IPsec, and others are affected by this vulnerability as well.

Read more here

Avast and AVG Browser Extensions Spy on Chrome and Firefox Users

Four popular browser extensions have been exposed for collecting detailed browsing history and data on millions of users.

The extensions include:

Avast Online Security

AVG Online Security

Avast SafePrice

AVG SafePrice

Wladimir Palant discovered the malicious behavior of Avast and AVG extensions, stating that the companies are “sending a large amount of data about users’ browsing habits…to the company’s servers — far beyond what’s necessary for the extension to function.”

The extensions are sending the following user data to Avast:

Full URL of the page you’re on, including query part and anchor data,

A unique user identifier (UID) generated by the extension for tracking,

Page title,

Referrer URL,

How you landed on a page, e.g., by entering the address directly, using a bookmark or clicking a link,

A value that tells whether you visited a page before,

Your country code

Browser name and its exact version number,

Your operating system and its exact version number

Palant has reported his findings to Google and Mozilla. Mozilla took immediate action, removing the extensions from its store.

Read more here

Malicious Python Package Available in PyPI Repo for past Year

A fake library has been put into the Python Package Index (PyPI) repository with the objective of stealing SSH and GPG keys from Python developers’ projects. The package, named python3-dateutil, impersonates the ‘dateutil’ package but with extra extensions.

The package itself does not contain malicious code but instead implements imports from a malicious package, called jeIlyfish, that collects SSH and GPG keys “along with a list of directories on the compromised system and deliver[s] them to the attacker.” JeIlyfish has been present in the Python Package Index since December 11, 2018.