Learn how to secure cloud environments and network infrastructure from tunneling protocol vulnerabilities to protect against anonymous attacks and unauthorized network access.

Risks:

Misconfiguration, Shadow IT/Exposed Assets, Other: Inadequate Authentication

Keywords:

Tunneling Protocols, VPN Vulnerabilities, GRE, IP6IP6, DDoS Attacks, Network Security

CVE:

CVE-2020-10136; CVE-2024-7595; CVE-2024-7596; CVE-2025-23018; CVE-2025-23019

Affected:

VPN servers, ISP home routers, core internet routers, mobile network gateways, content delivery network (CDN) nodes

 

Security Flaws in Tunneling Protocols Threaten Millions of Internet Hosts

Overview

New research has uncovered significant security vulnerabilities in several tunneling protocols, affecting approximately 4.2 million internet hosts globally. These vulnerabilities are found in various systems, including VPN servers, ISP home routers, core internet routers, mobile network gateways, and content delivery network (CDN) nodes. Countries most impacted include China, France, Japan, the U.S., and Brazil.

The Vulnerabilities

The vulnerabilities stem from tunneling protocols like IP6IP6, GRE6, 4in6, and 6in4, which are used to transfer data between disconnected networks. These protocols lack proper authentication and encryption when not coupled with robust security measures like Internet Protocol Security (IPsec). Without these safeguards, the protocols are open to abuse, allowing attackers to inject malicious traffic, conduct denial-of-service (DoS) attacks, and create one-way proxies.

Attack Methodology

The attack involves sending a packet encapsulated with two IP headers. The outer header contains the attacker's source IP and the vulnerable host's IP as the destination. The inner header, however, shows the source IP as the vulnerable host and the destination as the attack target. When the vulnerable system receives this packet, it strips the outer header and forwards the inner packet, bypassing network filters due to the trusted source IP.

Potential Impact

Exploitation of these vulnerabilities could enable attackers to perform anonymous attacks and gain unauthorized access to networks. This can lead to significant security breaches, allowing adversaries to use affected systems for malicious activities.

Mitigation Recommendations

To mitigate these risks, it is advised to implement the following security measures:

• Use of IPSec or WireGuard: These protocols provide the necessary authentication and encryption to secure tunneling traffic.
• Traffic Filtering: Implement filtering on routers and middleboxes to control incoming and outgoing traffic.
• Deep Packet Inspection (DPI): Use DPI to analyze packet data for suspicious activity.
• Block Unencrypted Tunneling Packets: Ensure that only encrypted tunneling packets are allowed through the network.

By adopting these strategies, organizations can better protect their networks and reduce the risk posed by these vulnerabilities.

CVE Identifiers

The affected tunneling protocols have been assigned the following CVE identifiers:

• CVE-2024-7595: GRE and GRE6
• CVE-2024-7596: Generic UDP Encapsulation
• CVE-2025-23018: IPv4-in-IPv6 and IPv6-in-IPv6
• CVE-2025-23019: IPv6-in-IPv4

Addressing these vulnerabilities is crucial for maintaining the security and integrity of network infrastructures.

 

Read More

https://thehackernews.com/2025/01/unsecured-tunneling-protocols-expose-42.html?m=1