A group of researchers from New York University has developed two methods of attacking VPNs, presented under the name TunnelCrack. The identified vulnerabilities allow an attacker who controls the victim's wireless access point or local network to redirect requests to the target host to their server, bypassing the VPN tunnel. An attack can be carried out, for example, when connecting through an untrustworthy Internet provider or a wireless network deployed by attackers. As a result of the attack, an attacker can organize the interception of unencrypted user traffic (connections established via HTTPS remain protected).
Identified attack methods:
• LocalNet (CVE-2023-36672, CVE-2023-35838) - The method is based on the fact that most VPN clients allow direct access to the local network. The attack comes down to the fact that the gateway controlled by the attacker gives the victim an IP address from the subnet in which the target host is located, the traffic to which needs to be intercepted. The user system's networking stack considers the host to be in direct reach and directs traffic directly to the attacker's gateway rather than through the VPN.
For example, if it is necessary to intercept traffic to the target.com site, which has an IP address of 1.2.3.4, the attacker, when the client connects to a wireless or local network, determines the 1.2.3.0/24 range as a local network and assigns an address from this range to the victim. If the VPN client allows direct access to the local network, the request to 1.2.3.4 goes directly to the attacker's host.
• ServerIP (CVE-2023-36673, CVE-2023-36671) - The method is based on the fact that many VPN clients do not encrypt traffic to their VPN server IP address to avoid re-encrypting packets. The essence of the attack is that the attacker, who controls the local network and the DNS server, can assign an IP address to the domain whose requests are to be intercepted that matches the IP address of the VPN server. When accessing the target domain, the VPN client will assume that a VPN server is being accessed and will send packets through the VPN tunnel without encryption.
For example, if a user uses the vpn.com VPN server with the address 2.2.2.2 and it is necessary to intercept traffic to the target.com host with the address 1.2.3.4, the attacker, if he has control over the DNS server used by the client, can set the DNS for the vpn .com address of intercepted host 1.2.3.4 (same as target.com). To ensure VPN performance, the attacker organizes the forwarding of encrypted requests to a real VPN server, simultaneously analyzing requests sent outside the encrypted VPN tunnel to target.com.
The researchers studied the attack susceptibility of 67 VPN clients and concluded that the first method of attack appears in all tested VPN clients for iOS, in 87.5% of VPN clients for macOS, 66.7% for Windows, 35.7% for Linux and 21.4% for Android . The second attack method affects 88.2% of VPN clients for Linux, 81.8% for Windows, 80% for macOS, 80% for iOS and 30% for Android. Issues have also been confirmed in Cisco's VPN products: Cisco AnyConnect Secure Mobility Client, Cisco Secure Client AnyConnect VPN, and Cisco Secure Client.
Vulnerability information was sent to VPN vendors in April and May. Patched versions have already been released by services such as Mozilla VPN, Surfshark, Malwarebytes, Windscribe and Cloudflare WARP. The affected VPNs include Mullvad VPN, Clario VPN, WireGuard for Windows, Nord Security VPN, Avira Phantom VPN, Ivanti VPN. Instructions for conducting experimental attacks to test your systems for vulnerabilities are published on GitHub.
Identified attack methods:
• LocalNet (CVE-2023-36672, CVE-2023-35838) - The method is based on the fact that most VPN clients allow direct access to the local network. The attack comes down to the fact that the gateway controlled by the attacker gives the victim an IP address from the subnet in which the target host is located, the traffic to which needs to be intercepted. The user system's networking stack considers the host to be in direct reach and directs traffic directly to the attacker's gateway rather than through the VPN.
For example, if it is necessary to intercept traffic to the target.com site, which has an IP address of 1.2.3.4, the attacker, when the client connects to a wireless or local network, determines the 1.2.3.0/24 range as a local network and assigns an address from this range to the victim. If the VPN client allows direct access to the local network, the request to 1.2.3.4 goes directly to the attacker's host.
• ServerIP (CVE-2023-36673, CVE-2023-36671) - The method is based on the fact that many VPN clients do not encrypt traffic to their VPN server IP address to avoid re-encrypting packets. The essence of the attack is that the attacker, who controls the local network and the DNS server, can assign an IP address to the domain whose requests are to be intercepted that matches the IP address of the VPN server. When accessing the target domain, the VPN client will assume that a VPN server is being accessed and will send packets through the VPN tunnel without encryption.
For example, if a user uses the vpn.com VPN server with the address 2.2.2.2 and it is necessary to intercept traffic to the target.com host with the address 1.2.3.4, the attacker, if he has control over the DNS server used by the client, can set the DNS for the vpn .com address of intercepted host 1.2.3.4 (same as target.com). To ensure VPN performance, the attacker organizes the forwarding of encrypted requests to a real VPN server, simultaneously analyzing requests sent outside the encrypted VPN tunnel to target.com.
The researchers studied the attack susceptibility of 67 VPN clients and concluded that the first method of attack appears in all tested VPN clients for iOS, in 87.5% of VPN clients for macOS, 66.7% for Windows, 35.7% for Linux and 21.4% for Android . The second attack method affects 88.2% of VPN clients for Linux, 81.8% for Windows, 80% for macOS, 80% for iOS and 30% for Android. Issues have also been confirmed in Cisco's VPN products: Cisco AnyConnect Secure Mobility Client, Cisco Secure Client AnyConnect VPN, and Cisco Secure Client.
Vulnerability information was sent to VPN vendors in April and May. Patched versions have already been released by services such as Mozilla VPN, Surfshark, Malwarebytes, Windscribe and Cloudflare WARP. The affected VPNs include Mullvad VPN, Clario VPN, WireGuard for Windows, Nord Security VPN, Avira Phantom VPN, Ivanti VPN. Instructions for conducting experimental attacks to test your systems for vulnerabilities are published on GitHub.
