IP leak affecting VPN providers with port forwarding

[iTpHo3NiX]

https://www.perfect-privacy.com/blog/2015/11/26/ip-leak-vulnerability-affecting-vpn-providers-with-port-forwarding/

Vulnerability “Port Fail” reveals real IP address
We have discovered a vulnerability in a number of providers that allows an attacker to expose the real IP address of a victim. “Port Fail” affects VPN providers that offer port forwarding and have no protection against this specific attack. Perfect Privacy users are protected from this attack.

This IP leak affects all users: The victim does not need to use port forwarding, only the attacker has to set it up.

We have tested this with nine prominent VPN providers that offer port forwarding. Five of those were vulnerable to the attack and have been notified in advance so they could fix this issue before publication. However, other VPN providers may be vulnerable to this attack as we could not possibly test all existing VPN providers.

[Katheudo]

Private Internet Access have already released patches for their servers and client programs. Both for Linux and Windows.

Linux Beta App: https://www.privateinternetaccess.com/forum/discussion/1940/pia-vpn-app-linux-beta

Windows: https://www.privateinternetaccess.com/pages/client-support/

Save people searching if they use this VPN provider...

[Architect]

I can attest to this. I was part of a small team to investigate <large and widely used VPN network here> for this reason and it all came down to server side weaknesses that, as it turns out, are very difficult to patch for this type of vuln.

Good luck every other company that is vulnerable. This will cost thousands to have professionally and efficiently resolved.