VU#199397: Insecure Implementation of Tunneling Protocols (GRE/IPIP/4in6/6in4)
Tunnelling protocols are essential to the Internet's infrastructure, but they do not authenticate or encrypt traffic, making them vulnerable to attacks. Researchers at the DistriNet-KU Leuven research group have discovered millions of vulnerable Internet systems that accept unauthenticated traffic. These systems can be abused as one-way proxies, enable source address spoofing, or provide access to private networks. They can also facilitate Denial-of-Service (DoS) attacks, including amplification attacks that can increase traffic by 13- and 75-fold. Additionally, the researchers discovered an Economic Denial of Sustainability (EDoS) attack, which can drain a vulnerable system's outgoing bandwidth, increasing operational costs. An adversary can exploit these vulnerabilities to create one-way proxies, spoof source addresses, and perform DDoS attacks. The researchers have proposed defenses against these attacks, which can be found in their publication. The vulnerabilities have been assigned CVE numbers, including CVE-2024-7595, CVE-2024-7596, CVE-2025-23018, and CVE-2025-23019. These CVEs highlight the inherent weakness of these protocols, which do not validate or verify the source of network packets. The researchers' findings have significant implications for network security and infrastructure.