About
V2Ray is a versatile network utility that provides a platform for building proxies to bypass network restrictions—enabling users to access the internet safely and privately in restricted contexts where surveillance and censorship are prevalent. In addition to being open source, V2Ray is designed with encryption and obfuscation functions that make it harder for surveillance forces to detect instances of the service by observing its network traffic. Because V2Ray supports multiple transport protocols and can run natively on Windows, Mac OS, and Linux, it is highly adaptable for different uses and users. This flexibility also increases the difficulty of profiling by potential attackers.
Audit Description
Through OTF’s Security Lab, 7ASecurity conducted a security review of V2Ray in March 2024, including the first-ever penetration test for the tool. The “whitebox” audit (a form of testing in which auditors have complete knowledge of the item being tested) and penetration testing focused on the key components and most commonly used features of the V2Ray toolset. The reviewers were provided with access to a reference server, documentation, and the V2Ray source code.
Scope
The assessment included whitebox tests against V2Ray servers and clients and a V2Ray server runtime analysis via the Secure Shell (SSH) protocol (a method for securely sending commands to a computer over an unsecure network). Reviewers also conducted a separate whitebox review of V2Ray’s supply chain implementation, audited against the SLSA framework—a security framework that entails a checklist of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure
Findings
The auditors reported three notable vulnerabilities, all categorized at the “Medium” level. They also included seven recommended areas where V2Ray can harden its security surface to remove weaknesses that, while less significant than the primary vulnerabilities, could be exploited when combined with other weaknesses, or if an attacker has greater access, or in other edge cases.
Overall, the audit showed that V2Ray is well-protected against a broad range of attack vectors. No “critical” or “high severity” issues were identified. The strengths of the system noted by 7ASecurity included:
- Resilience against common web application security threats such as command injection or SQL injection (a cyber attack that uses malicious SQL code to access sensitive data from a database)
- Robustness against malformed request headers and stress scenarios
- The presence of an extensive test suite, which can make an application easier to maintain and easier to integrate with outside tools
- Good maintenance, update, and release practices by the development team and “meticulously organized and documented” source code
The main vulnerabilities detected were related to “fingerprinting” attacks, in which attackers use device and network behaviors to target the sources of encrypted traffic. The report named three areas flagged as “Medium”-level vulnerabilities:
- The Golang programming framework V2Ray is based on does not support sending empty User Agent Header, which allows V2Ray to be distinguished as a Golang HTTP Client.
- The standard Golang TLS implementation is distinguishable from other implementations. This makes V2Ray network traffic easier to identify when assessed in combination with other behaviors, unless integrated uTLS support is enabled.
- Failure to remove Keep-Alive headers, which make V2Ray connections easier to detect
The security audit also noted several less significant areas of exposure, many of which would require an additional vulnerability in order to be exploited:
- A vulnerability in the Mac OS version of V2Ray that could allow the injection of malicious code from V2Ray processes created by attackers (Medium)
- Unnecessary vulnerability to Denial of Service (DoS) attacks due to missing timeout settings in HTTP services (Medium)
- A lack of enforcement against older, deprecated versions of TLS, which could permit Man-in-the-Middle attacks on V2Ray users (Low)
- Use of the weaker random number generator math/rand instead of the more secure crypto/rand alternative (Low)
- Less restrictive file permission settings, which could make it too easy for attackers to access configuration files, for instance in a shared hosting scenario (Low)
- Components with known vulnerabilities in packages used directly or as underlying dependencies in V2Ray (Low)
- Exposure to memory corruption risks because V2Ray’s Linux binaries do not leverage a number of compiler flags that could mitigate potential vulnerabilities (Informational)
The final portion of the report assessed the supply chain integrity implementation of the V2Ray project, as audited against the SLSA framework. Supply chain integrity seeks to help ensure that every step in the software development process and infrastructure is secure and free from tampering. The audit found that V2Ray satisfies the requirements of SLSA v1.0 and met some but not all of the requirements of SLSA v0.1. The report details recommended steps for V2Ray to reach full compliance with SLSA v0.1, including integrating automated tools like slsa-github-generator and slsa-verifier into the build process.
Remediation
Of the issues noted above, the V2Ray team addressed the following, which 7ASecurity confirmed through retesting:
- Failure to remove Keep-Alive headers, which make V2Ray connections easier to detect (Medium)
- Use of the weaker random number generator math/rand instead of the more secure crypto/rand alternative (Low)
- Components with known vulnerabilities in packages used directly or as underlying dependencies in V2Ray (Low)
- A lack of enforcement against older, deprecated versions of TLS, which could permit Man-in-the-Middle attacks on V2Ray users (Low)
- Less restrictive file permission settings, which could make it too easy for attackers to access configuration files, for instance in a shared hosting scenario (Low)
- Unnecessary vulnerability to Denial of Service (DoS) attacks due to missing timeout settings in HTTP services (Medium)
- Exposure to memory corruption risks because V2Ray’s Linux binaries do not leverage a number of compiler flags that could mitigate potential vulnerabilities (Informational)
