Virtual Private Networks (VPNs) are widely used for censorship evasion and traffic protection. VPN users expect to be provided with adequate security protection, and at the same time not be affected by other users connected to the same VPN server, which can be illustrated as the non-interference property. However, in this paper, we have identified several vulnerabilities that violate this property, specifically within the connection tracking frameworks of VPN servers, stemming from shared resource misuse and insufficient validation of session state transitions. We present three session manipulation attacks targeting TCP and UDP traffic tunneled through VPNs. The attacker who only connects to the same VPN server can launch denial-of-service attacks, hijack TCP connections of other clients, or inject forged DNS responses into their queries. We evaluate these attacks against five popular connection tracking frameworks across different OSes and nine major commercial VPN providers. Experimental results reveal that all frameworks and eight providers are vulnerable to at least one of the attacks. We have responsibly disclosed our findings with countermeasures, resulting in 19 assigned CVEs/CNVDs and acknowledgments from the communities and providers.

翻译：虚拟专用网络（VPN）被广泛用于规避审查和流量保护。VPN用户期望获得充分的安全保护，同时不受连接到同一VPN服务器的其他用户影响，这可以概括为非干扰属性。然而，在本文中，我们发现了违反该属性的若干漏洞，具体存在于VPN服务器的连接跟踪框架中，源于共享资源滥用及会话状态转换验证不足。我们提出了三种针对通过VPN隧道传输的TCP和UDP流量的会话操纵攻击。仅连接到同一VPN服务器的攻击者可以发起拒绝服务攻击、劫持其他客户端的TCP连接或向其查询中注入伪造的DNS响应。我们在五种跨不同操作系统的流行连接跟踪框架和九家主流商业VPN提供商上评估了这些攻击。实验结果表明，所有框架和八家提供商至少易受一种攻击。我们已负责任地披露了研究结果并提出了应对措施，最终获得19项CVE/CNVD编号分配以及社区和提供商的致谢。