CVE-2019-16651: Vulnerability in Virgin Media Super Hub 3 routers allow determining the real IP address of VPN users

Cybersecurity specialists from Fidus Information Security reported the detection of a critical zero-day vulnerability in Virgin Media Super Hub 3 whose successful exploitation would allow threat actors to reveal the real IP addresses of VPN users.

Tracked as CVE-2019-16651, the flaw was reported almost two years ago, although given its nature and delay in correction the technical details are known until now.

The researchers also claimed to have postponed their investigation for a year at the request of Virgin, which later acknowledged that its security teams were already working to find a solution to this flaw, described as an “external problem that could affect a small set of VPN clients.”

During its tests, Fidus was able to mount a DNS relay attack that revealed the IP address of a VPN user, for which it was only enough to redirect the target to a malicious website for a few seconds: “This attack variant turns the victim’s browser into a lethal weapon,” experts claim.

Experts managed to find the real IP addresses of multiple targets using some of the most popular VPN services today. It is important to mention that some providers seem to have this possibility, since in cases like this they can block access to a local IP address by default.

Still, experts believe that the risk to the privacy of millions of VPN users should not be underestimated, as this flaw is easily exploitable in the wild: “In theory, this flaw could be used on any popular website, revealing the true IP address of up to millions of users.”

Moreover, members of the cybersecurity community believe that it would also be possible for hacking groups sponsored by state actors to deploy large-scale exploitation campaigns of this flaw, which would put countless targets around the world at risk. In this regard, a Virgin spokesperson only commented that “hackers would require the conjunction of highly specific circumstances for a user to be affected, a possibility that is further reduced by talking about hundreds, thousands or millions of users.”

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.