The Researchers have identified a major vulnerability in China’s Great Firewall (GFW), dubbed as Wallbleed. This flaw allowed censorship middleboxes to expose more than 125 bytes of their memory when processing crafted DNS queries. This could potentially leak sensitive information. 

The Big Picture

This vulnerability allowed researchers to take an unprecedented look into the internal workings of China’s censorship mechanism. The research team took two years (Oct 2021 to April 2024) using Internet-wide scans and reverse engineering to study the wallbleed’s impact. The findings from this study exposed how China’s Great Firewall (GFW) operated at a deep technical level.

Before understanding how big this issues is you need to know how GFW works.

  • Suppose a user inside China wants to visit Facebook. 
  • Their device sends a DNS request to find the IP address of Facbook.com.
  • The GFW’s middleboxes monitor all outgoing DNS requests.
  • As soon as it detects a request for a prohibited domain, it intercepts the query before it reaches to intended DNS resolver(like Google’s 8.8.8.8).
  • After intercepting the request, GFW injects a fake DNS response.
  • The response contains an incorrect or non-routable address. (like random IP or Local Host).
  • This then confused the user’s device into thinking facebook.com exists at the fake IP.
  • Since the IP is non-routable the user gets an error message.

This is a win-win situation for China as it effectively blocks access without interfering with the connection, but it also brings unintended consequences due to wallbleed. 

 When a crafted DNS query with a malformed label length field reaches the GFW it causes the Buffer Over-Read Flaw. Instead of stopping, the middlebox copied extra bytes from memory into this injected response. This led to a memory leak (125 bytes). 

Possible Leaked Data due to Wallbleed

  • The majority of leaked memory fragments have network protocol headers, including IPv4, TCP, UDP, and HTTP.
  • Some other leaks exposed partial application-layer data, including SMTP email metadata, SSH banners, and TLS handshake information.
  • A significant portion of leaked data contained fragments of unrelated network traffic, confirming that the firewall’s censorship devices had poor memory isolation.
  • Both IPv4 and IPv6 traffic was processed by the same vulnerable systems i.e. memory leaks occur regardless of protocol version.
  • The leaked data included bits of network traffic from Chinese users, raising concerns that censorship mechanisms might be exposing private user data.

However, the patching wallbleed has been failed in late 2023 and it hasn’t been resolved entirely.

The Bottom Line

  • If not patched wallbleed could leak foreigners communicating with servers in China.
  • Now researchers are arguing similar flaws could still exist in censorship systems in Russia, Iran, and Turkmenistan.
  • It questions the security features of state-operated censorship technologies.
  • Wallbleed also exposed how GFW blocklists are structured.

Follow us on X and Linkedin for the latest cybersecurity news.

Source: hxxps[://]gfw[.]report/publications/ndss25/data/paper/wallbleed.pdf