An Atlas VPN zero-day vulnerability affecting the Linux shopper leaks a person’s actual IP tackle just by visiting a web site.
Atlas VPN is a VPN product that provides an economical answer based mostly on WireGuard and helps all main working techniques.
In a proof of idea exploit shared on Reddit, a researcher describes how the Linux shopper of Atlas VPN, particularly the newest model, 1.0.3, has an API endpoint that listens on localhost (127.0.0.1) over port 8076.
This API gives a command-line interface (CLI) for performing numerous actions, equivalent to disconnecting a VPN session utilizing the http://127.0.0.1:8076/connection/cease URL.
Nonetheless, this API doesn’t carry out any authentication, permitting anybody to difficulty instructions to the CLI, even a web site you might be visiting.
Atlas VPN API results in zero-day exploit
A Reddit person named ‘Instructional-Map-8145’ printed a PoC exploit on Reddit that abuses the Atlas VPN Linux API to disclose a person’s actual IP addresses.
This PoC creates a hidden kind that’s robotically submitted by JavaScript to attach to the http://127.0.0.1:8076/connection/cease
API endpoint URL.
When this API endpoint is accessed, it robotically terminates any lively Atlas VPN classes that disguise a person’s IP tackle.
As soon as the VPN connection is disconnected, the PoC will hook up with the api.ipify.org
URL to log the customer’s precise IP tackle.
It is a extreme privateness breach for any VPN person because it exposes their approximate bodily location and precise IP tackle, permitting them to be tracked and nullifying one of many core causes for utilizing a VPN supplier.
Amazon cybersecurity engineer Chris Partridge examined and confirmed the exploit, creating the video beneath to exhibit that it may be leveraged to disclose an IP tackle.
Partridge additional defined that the PoC bypasses current CORS (Cross-Origin Useful resource Sharing) protections on net browsers as a result of the requests are despatched to the Atlas VPN API as kind submissions.
“Kind submissions are exempt from CORS for legacy/compatibility causes, they’re thought-about a “easy request” by the CORS spec,” Partridge informed BleepingComputer.
Usually, CORS would block requests made by scripts in net pages to totally different domains than the origin area. Within the case of this exploit, it could be requests made by any web site to a customer’s localhost at “http://127.0.0.1:8076/connection/cease.”
Nonetheless, Partridge defined to BleepingComputer that utilizing a kind submission to “bypass” CORS wouldn’t permit a web site to see any response from the shape submission.
Nonetheless, on this case, the response just isn’t needed, as the shape submission is solely used to entry the URL to disconnect the Atlas VPN connection in Linux.
“Assumption being that varieties ought to already guard towards CSRF. Which as we are able to see as we speak, just isn’t an excellent assumption and has result in some unintended penalties,” warned Partridge.
Repair coming in upcoming patch
The Reddit person claims that they contacted Atlas VPN about the issue however was ignored, and for the reason that firm did not have a bug bounty program in place, public disclosure was the one logical choice left.
Atlas VPN ultimately responded to the problem 4 days after the disclosure, apologizing to the reporter and promising to launch a repair for its Linux shopper as quickly as attainable. Additionally, Linux customers will probably be notified when the replace is offered.
In response to our request for a remark, a spokesperson for Atlas VPN has despatched the next:
“We’re conscious of the security vulnerability that impacts our Linux shopper. We take security and person privateness very significantly. Due to this fact, we’re actively engaged on fixing it as quickly as attainable. As soon as resolved, our customers will obtain a immediate to replace their Linux app to the newest model.
The vulnerability impacts Atlas VPN Linux shopper model 1.0.3. Because the researcher acknowledged, because of the vulnerability, the applying and, therefore, encrypted visitors between a person and the VPN gateway will be disconnected by a malicious actor. This might result in the person’s IP tackle disclosure.
We vastly respect the cybersecurity researchers’ important position in figuring out and addressing security flaws in techniques, which helps safeguard towards potential cyberattacks, and we thank them for bringing this vulnerability to our consideration. We are going to implement extra security checks within the growth course of to keep away from such vulnerabilities sooner or later. Ought to anybody come throughout every other potential threats associated to our service, please contact us by way of security@Atlas VPN.com.” – Atlas VPN.
Given the vital nature of this zero-day vulnerability, which stays exploitable till a patch is launched, Atlas VPN Linux shopper customers are strongly suggested to take fast precautions, together with contemplating another VPN answer.