Krematorij
Administrator
Staff member
#root
BFD Member
Legend
ULTIMATE
SELLER
PREMIUM
Local
Active Member
A new study has identified vulnerabilities in popular tunneling protocols (IPIP, GRE, 4in6, 6in4) used by VPN servers, routers, backbone routers, and mobile network nodes. The problem affects more than 4 million hosts, with 1.8 million of them being exploitable for spoofing.
Experts have warned that hosts that accept tunnel packets without verifying the sender can be hacked, used to conduct anonymous attacks, and gain access to networks.
The study was published by Top10VPN and created in collaboration with Professor and renowned information security researcher from KU Leuven Mathy Vanhoef and PhD student Angelos Beitis.
It should be noted that Vanhoef is widely known for his research in the field of Wi-Fi security. Thus, it was he who discovered and described such high-profile problems as SSID Confusion, Frag Attacks, Dragonblood and KRACK.
This time, experts studied tunneling protocols that are used to transfer data between different networks and allow the transfer of data that they may not support (for example, working with IPv6 in an IPv4 network). To do this, they encapsulate some packets in others.
Scientists have identified several tunneling protocols (including IPIP/IP6IP6, GRE/GRE6, 4in6 and 6in4) that are vulnerable to abuse, since they do not provide authentication and encrypt traffic without using appropriate protection (for example, using IPsec).
Experts explained that incorrectly configured systems accept tunnel packets without checking the sender. This allows attackers to send specially prepared packets to a vulnerable host containing the victim's IP address, thereby forcing the host to forward an internal packet to the victim, which opens the door for attackers to subsequent attacks.
"Attackers only need to send a packet encapsulated using one of the affected protocols with two IP headers. The outer header contains the source IP address of the attacker, and the recipient is the IP address of the vulnerable host. The inner header contains the IP address of the vulnerable host, not the attacker," the experts explain.
Thus, upon receiving a malicious packet, the vulnerable host automatically removes the outer header and forwards the inner packet to its destination. Given that the IP address in the inner packet belongs to a vulnerable but trusted host, it is able to bypass network filters.
Attackers can use this technique to conduct anonymous attacks, including using hosts as one-way proxies, performing DoS attacks, and DNS spoofing, as well as gaining access to internal networks and IoT devices.
The researchers scanned the Internet and found 4.26 million hosts vulnerable to these issues, including VPN servers, routers (which ISPs provide to their subscribers), backbone routers, mobile network gateways and nodes, and CDNs. It is noted that more than 1.8 million of these vulnerable hosts can be used for spoofing.
The majority of vulnerable hosts were found in China, France, Japan, the United States, and Brazil.
As a result, the discovered vulnerabilities were assigned the identifiers CVE-2024-7595 (GRE and GRE6), CVE-2025-23018 (IPv4-in-IPv6 and IPv6-in-IPv6), CVE-2025-23019 (IPv6-in-IPv4) and CVE-2024-7596 (Generic UDP Encapsulation).
As a defense, experts recommend using IPsec or WireGuard to provide authentication and encryption, as well as accepting tunneled packets only from trusted sources. It is also recommended to implement traffic filtering on routers and intermediate nodes at the network level, use DPI and block all unencrypted tunneled packets.
More in-depth technical details of the conducted research are available in the scientific article already published by Vanhoef and Bates.
Experts have warned that hosts that accept tunnel packets without verifying the sender can be hacked, used to conduct anonymous attacks, and gain access to networks.
The study was published by Top10VPN and created in collaboration with Professor and renowned information security researcher from KU Leuven Mathy Vanhoef and PhD student Angelos Beitis.
It should be noted that Vanhoef is widely known for his research in the field of Wi-Fi security. Thus, it was he who discovered and described such high-profile problems as SSID Confusion, Frag Attacks, Dragonblood and KRACK.
This time, experts studied tunneling protocols that are used to transfer data between different networks and allow the transfer of data that they may not support (for example, working with IPv6 in an IPv4 network). To do this, they encapsulate some packets in others.
Scientists have identified several tunneling protocols (including IPIP/IP6IP6, GRE/GRE6, 4in6 and 6in4) that are vulnerable to abuse, since they do not provide authentication and encrypt traffic without using appropriate protection (for example, using IPsec).
Experts explained that incorrectly configured systems accept tunnel packets without checking the sender. This allows attackers to send specially prepared packets to a vulnerable host containing the victim's IP address, thereby forcing the host to forward an internal packet to the victim, which opens the door for attackers to subsequent attacks.
"Attackers only need to send a packet encapsulated using one of the affected protocols with two IP headers. The outer header contains the source IP address of the attacker, and the recipient is the IP address of the vulnerable host. The inner header contains the IP address of the vulnerable host, not the attacker," the experts explain.
Thus, upon receiving a malicious packet, the vulnerable host automatically removes the outer header and forwards the inner packet to its destination. Given that the IP address in the inner packet belongs to a vulnerable but trusted host, it is able to bypass network filters.
Attackers can use this technique to conduct anonymous attacks, including using hosts as one-way proxies, performing DoS attacks, and DNS spoofing, as well as gaining access to internal networks and IoT devices.
The researchers scanned the Internet and found 4.26 million hosts vulnerable to these issues, including VPN servers, routers (which ISPs provide to their subscribers), backbone routers, mobile network gateways and nodes, and CDNs. It is noted that more than 1.8 million of these vulnerable hosts can be used for spoofing.
The majority of vulnerable hosts were found in China, France, Japan, the United States, and Brazil.
As a result, the discovered vulnerabilities were assigned the identifiers CVE-2024-7595 (GRE and GRE6), CVE-2025-23018 (IPv4-in-IPv6 and IPv6-in-IPv6), CVE-2025-23019 (IPv6-in-IPv4) and CVE-2024-7596 (Generic UDP Encapsulation).
As a defense, experts recommend using IPsec or WireGuard to provide authentication and encryption, as well as accepting tunneled packets only from trusted sources. It is also recommended to implement traffic filtering on routers and intermediate nodes at the network level, use DPI and block all unencrypted tunneled packets.
More in-depth technical details of the conducted research are available in the scientific article already published by Vanhoef and Bates.