Linux clients users Atlas VPN Data leaks may occur, at least temporary. Experts confirmed a zero-day Atlas VPN flaw affecting the Linux client which can reveal a user’s IP by visiting a site.
A Reddit user with the handle ‘Educational-Map-8145′ published a proof-of-concept exploit last week for a zero-day flaw in the Linux client of Atlas VPN. The exploit code only works with the latest version, 1.0.3.
According to the researcher the Linux client for Atlas VPN, namely the latest version (1.0.3), contains an API endpoint which listens at localhost (127.0.0.1), over port 8076. This API offers a command-line interface (CLI) for performing various actions, such as disconnecting a VPN session using the URL http://127.0.0.1:8076/connection/stop.
This configuration has a problem because it does not perform authentication. Anyone can issue commands to the CLI.
Atlas VPN’s head of IT acknowledged the flaw on Reddit on Tuesday. He apologized for the late response and noted that the IT staff was working to fix the issue.
Edvardas Gárbenis, a cybersecurity expert and publisher with Atlas VPN, has confirmed this information.
We are aware of the vulnerability in our Linux client. We take privacy and security of users very seriously. We’re working to fix it as quickly as possible,” Garbenis said in a statement to LinuxInsider. Once the issue is resolved, users will be prompted to update to the latest Linux version.
Garbenis has not provided a timeline for resolving the vulnerability. He confirmed, however, that the vulnerability is only affecting the Linux client.
Details Revealed
Reddit stated that Atlas VPN Linux Client version 1.0.3 was affected. The malicious actor may be able to disconnect the Linux client and the encrypted traffic between the Linux users and the VPN gateway. In turn, the user’s IP could be revealed.
Reddit researcher claimed in a blog post that the researchers are unaware of its widespread use. The poster also questioned Atlas VPN’s reliability and security.
According to a Reddit user, the vulnerability has two main components. Atlasvpnd, a daemon, manages connections. Atlasvpn, a client, provides the user with controls to connect, list services, and disconnect.
Instead of using a secure local socket, or any other means to connect securely, the Linux application opens an API at localhost port 8076. This is done without authentication. Any program running on the accessing computer — including the web browser — can use this port. Any malicious JavaScript can create a request for that port on any website and disconnect the VPN.
According to the Reddit post, “If it runs another request then this leaks the users’ home IP address to ANY WEBSITE using the exploit code.”
Flaw is not so unique
A VPN may be installed at the perimeter of the network, depending on how the infrastructure is set up. This allows access to both internal and external networks. Mayuresh Dani noted that security solutions inline can trust both incoming and outgoing data. Qualys.
Endpoint VPN clients exist on all devices, which increases the attack surface. This makes VPNs attractive targets for both internal and external threat actors, he told LinuxInsider.
In today’s hybrid working environment, a compromised virtual private network could lead to the loss of sensitive data. This also allows external hackers to access internal networks, said he.
VPN Popularity Leads To Security Errors
The VPN market is crowded, and it’s competitive. Around 33% of internet users use VPNs to hide their identity or change their location.
“It’s a big market, with a lot players. Cost can be the main way to differentiate between providers. When the cost per user is low, it can lead to software that rushes to grab the market,” Shawn Surber Senior Director of Technical Account Management at converged Endpoint Management firm TaniumLinuxInsider was suggested by.
This vulnerability may have been caused by an incorrect assumption that protection against cross-origin resources sharing (CORS). Engineers designed the security feature in order to prevent data theft as well as loading outside resources. It was not intended to address the vulnerability.
He explained that in the Atlas VPN scenario the attacker uses a simple command, which is able to slip through CORS’ gauntlet. It turns off VPN in this case and exposes user IP address and location.
“This is an important problem for VPN users.” “It does not yet appear that any other information is exposed or that malware can be installed,” he said.
Tool for New Cyberattacks
For a malicious actor, any information is valuable. Nick Rago is the field CTO of API Security Company. He said that an experienced adversary would know how to take advantage of this information in a campaign. Salt Security.
The first wave of a campaign to launch a cyberattack is often a social engineering attack. The Atlas VPN Linux vulnerability could be exploited by bad actors to create a convincing and effective phishing campaign tailored to a specific user.
He told LinuxInsider that “proper endpoint protection” is crucial so that the security team of an organization can determine if there are any interfaces on employee systems that could be used in an unintended manner. If they allow it to exist, then that interface will be blocked.
VPN Cybersecurity Reminder
The recent security vulnerability found in Atlas VPN’s Linux Client version 1.0.3 serves as a reminder of the possible risks associated with VPNs, even though they are designed to increase privacy and security.
Atlas VPN is working to resolve the issue. Users should stay vigilant and keep up-to-date with all software patches.
This case highlights the need for VPN services to implement strict security measures including endpoint protection. Consumers who depend on VPNs should also take note.
Every weak link can have serious consequences in today’s complex cyber landscape.
