CVE-2021-3773: 
Linux Kernel vulnerability analysis and mitigation

A flaw in netfilter was discovered that could allow a network-connected attacker to infer OpenVPN connection endpoint information, which could be used for further traditional network attacks. The vulnerability, identified as CVE-2021-3773, was disclosed on September 6, 2021, affecting Linux systems using netfilter with OpenVPN connections (CVE Mitre, NVD).

The vulnerability exists in the connection tracking framework of netfilter, which is used by VPN software like OpenVPN, WireGuard, and OpenConnect on Linux and FreeBSD systems. The flaw allows for a port shadow attack, where an attacker can abuse the shared resources in the connection tracking framework to potentially compromise other VPN users' connections. The vulnerability received a CVSS v3.1 score of 9.8 (Critical) (Ubuntu).

If exploited, this vulnerability could allow attackers to perform various malicious actions including deanonymizing VPN client connections, redirecting DNS requests, performing port scans, and potentially launching machine-in-the-middle attacks against other VPN users connected to the same server (Citizen Lab).

For Linux systems, implementing specific IPtables rules can prevent the attack. The recommended mitigation includes restricting source ports that VPN clients can use and limiting the number of concurrent connections per client. Additionally, users can switch to alternative protocols such as Shadowsocks or Tor, which are not affected by this vulnerability as they don't rely on the problematic connection tracking framework (Citizen Lab).