Nearly 70 VPN clients and servers are vulnerable to a long-standing attack that can cause them to leak user traffic, university researchers have claimed.
The multi-campus collaboration have dubbed their attack TunnelCrack and have published proof-of-concept exploit code.
“Our tests indicate that every VPN product is vulnerable on at least one device”, the researchers wrote, with VPNs running on Apple devices most likely to be vulnerable, but most VPNs on Windows and Linux also are.
VPNs running on Android were the most likely to be secure, they said.
“The root cause of both vulnerabilities has been part of VPNs since their first creation around 1996. This means that our vulnerabilities went unnoticed, at least publicly, for more than two decades," they wrote.
Client vulnerability
The researchers discovered that VPN clients allow traffic to be sent in the clear in two cases:
- The traffic is being sent to their local network, meaning enabling the VPN doesn’t disable access to the LAN; and
- The destination is the VPN server, a rule designed to eliminate routing loops.
In these two cases, they found, routing exceptions can be manipulated so “arbitrary traffic will be sent outside the VPN tunnel.”
Attacking local traffic requires the adversary to have control of a local network the user connects to – for example by setting up a rogue hotspot.
The attacker then assigns a public IP address and subnet to the victim: “Because the victim thinks that this IP address is directly reachable in the local network, it will send the web request outside the protected VPN tunnel.”
That gives the attacker access to all unencrypted traffic; and even if the user is browsing a website protected by HTTPS, the attacker will still see the website the victim is accessing.
Server vulnerability
Server side attacks are also enabled by the attacker acting as a malicious network, but could also be launched from a compromised core router in an ISP.
If the adversary spoofs the IP address on the VPN server, they can intercept VPN traffic from the client.
“Our attacks are not computationally expensive, meaning anyone with the appropriate network access can perform them, and they are independent of the VPN protocol being used … the leaked traffic can contain sensitive data if older insecure protocols are used, and our attack can be used as a basis to attack such older protocols,” the researchers wrote.
Patches
The researchers said Mozilla VPN, Surfshark, Malwarebytes, Windscribe, and Cloudflare's WARP have been patched.
Cisco has issued an advisory about TunnelCrack, saying its AnyConnect and Secure Client on Linux, Windows, and MacOS are vulnerable.
Cisco added that the client attack can be blocked using client firewall rules; while the server-side attack can be blocked by its Umbrella Roaming Security Module.
The vulnerabilities have been designated CVE-2023-36672 and CVE-2023-36673; at the time of writing, Mitre, which maintains the CVE list, had not published detailed advisories.
The research was conducted by Nian Xue of New York University; Yashaswi Malla, Zihang Xia, and Christina Pöpper of New York University Abu Dhabi; and Mathy Vanhoef of KU Leuven University.