Linux client users of Atlas VPN may be at risk of data leaks, at least temporarily. Experts confirmed an Atlas VPN zero-day flaw impacting the Linux client that can reveal the user’s IP address by visiting a website.
A Reddit user with the handle ‘Educational-Map-8145’ published a proof-of-concept exploit last week for a zero-day flaw in the Linux client of Atlas VPN. The exploit code works against the latest version of the client, 1.0.3.
According to the researcher, the Linux client of Atlas VPN, specifically the latest version (1.0.3), has an API endpoint that listens on localhost (127.0.0.1) over port 8076. This API offers a command-line interface (CLI) for performing various actions, such as disconnecting a VPN session using the URL http://127.0.0.1:8076/connection/stop.
The problem with this configuration is that this API does not perform any authentication, which allows anyone to issue commands to the CLI, even a website you visit.
The head of Atlas VPN’s IT department on Tuesday, several days later, posted on Reddit an acknowledgment of the flaw, apologizing for the delay in responding and noting that the company’s IT workers were fixing the issue.
Edvardas Garbenis, a cybersecurity researcher and publisher at Atlas VPN, confirmed that information.
“We’re aware of the security vulnerability that affects our Linux client. We take security and user privacy very seriously. Therefore, we’re actively working on fixing it as soon as possible,” Garbenis told LinuxInsider. “Once resolved, our users will receive a prompt to update their Linux app to the latest version.”
Garbenis did not provide a timeline to resolve the vulnerability. However, he confirmed that the issue is limited to the Linux client and does not affect other Atlas VPN apps.
The Reddit post indicated that the vulnerability affects Atlas VPN Linux client version 1.0.3. As a result, a malicious actor can disconnect the Linux application and encrypted traffic between a Linux user and the VPN gateway, potentially disclosing the user’s IP address.
The Reddit cyber researcher said in the post that they are not yet aware of its use in the wild. However, the poster also questioned the reliability and security of Atlas VPN.
The root cause of the vulnerability consists of two parts, according to the Reddit poster. A daemon (atlasvpnd) manages the connections, and a client (atlasvpn) provides user controls to connect, disconnect, and list services.
“If it then runs another request, this leaks the user’s home IP address to ANY website using the exploit code,” according to the Reddit poster.
Flaw Maybe Not So Unique
Depending on the infrastructure setup, often a VPN sits at the perimeter, allowing access to internal and external networks. Also, security solutions that are inline trust the incoming and outgoing traffic, noted Mayuresh Dani, manager of threat research at IT, security, and compliance firm Qualys.
“Endpoint VPN clients are present on all devices today, increasing the attack surface. This positioning makes VPNs an attractive target for both external and internal threat actors,” he told LinuxInsider.
Given today’s hybrid work environment, a compromised VPN could result in the loss of sensitive personal information. It also allows external attackers access to the internal networks, he added.
VPN Popularity Leads to Security Slip-Ups
The VPN provider marketplace is now crowded and competitive. About 33% of all internet users rely on VPNs to mask their identity or shift their origin location.
“It is a huge market, but with a lot of players. It can be difficult to differentiate providers by anything other than cost. And when the costs per user are very low, that can lead to rushed software trying to capture the market,” Shawn Surber, senior director of technical account management at converged endpoint management firm Tanium, suggested to LinuxInsider.
The assumption that cross-origin resource sharing (CORS) protection would prevent it might have caused the vulnerability. However, engineers designed that security feature to prevent data theft and loading of outside resources, not to address the vulnerability in question.
In the Atlas VPN scenario, the attack uses a simple command instead, which slips through the CORS gauntlet, he explained. In this case, it turns off the VPN, immediately exposing the user’s IP and general location.
“This is a pretty significant problem for the VPN users. It does not, as yet, appear to expose any other data or provide an avenue for installation of malware,” he noted.
Tool for New Cyberattacks
Any information is good information for a malicious actor. An experienced adversary will know how to use that information to their advantage in an attack campaign, offered Nick Rago, field CTO at API security company Salt Security.
Social engineering plays a role in the first wave of a cyberattack campaign. Disabling a targeted user’s VPN and exposing their IP and geolocation let bad actors leverage that information to craft a more convincing and effective phishing attack tailored to the targeted user, he said of the potential danger of the Atlas VPN Linux vulnerability.
“Proper endpoint protection here is key so that an organization’s security team can discover if any interfaces, such as an open, unexposed API, is present on their employee systems, and, if allowed to exist, block any attempt to use that interface in an unexpected manner,” he told LinuxInsider.
VPN Cybersecurity Reminder
The recent vulnerability discovered in Atlas VPN’s Linux client version 1.0.3 is a stark reminder of the potential risks associated with VPN services, even as they aim to enhance security and privacy.
While Atlas VPN is actively addressing the issue, users should remain vigilant and stay updated with software patches.
This case also underscores the critical need for rigorous security measures, including proper endpoint protection, by VPN services and consumers who rely on them.
Given today’s increasingly complex cybersecurity landscape, every weak link in the security chain can have significant consequences.