Almost all VPNs are vulnerable to traffic-leaking TunnelCrack attacks

Several vulnerabilities that affect most VPN products out there can be exploited by attackers to read user traffic, steal user information, or even attack user devices, researchers have discovered.

“Our attacks are not computationally expensive, meaning anyone with the appropriate network access can perform them, and they are independent of the VPN protocol being used,” claim Nian Xue of New York University; Yashaswi Malla, Zihang Xia, and Christina Pöpper of New York University Abu Dhabi; and Mathy Vanhoef of KU Leuven University.

“Even if the victim is using another layer of encryption such as HTTPS, our attacks reveal which websites a user is visiting, which can be a significant privacy risk.”

The VPN vulnerabilities and possible attacks

The unearthed vulnerabilities have received four distinct CVE numbers: CVE-2023-36672, CVE-2023-35838, CVE-2023-36673, and CVE-2023-36671. Since there are so many vulnerable solutions, those numbers will denote each vulnerability independently of which solution/codebase they affect.

The first pair of bugs can be exploited in a LocalNet attack, i.e., when a user connects to an Wi-Fi or Ethernet network set up by an attacker. The latter pair can be leveraged in a ServerIP attack, either by attackers that are running an untrusted Wi-Fi/Ethernet network or by malicious internet service providers (ISPs).

“Both attacks manipulate the victim’s routing table to trick the victim into sending traffic outside the protected VPN tunnel, allowing an adversary to read and intercept transmitted traffic,” the researchers say.

A video demonstration of three attacks is available. The researchers have also released scripts that can be used to check whether a VPN client is vulnerable.

“Once a large enough fraction of devices has been patched, and if deemed necessary and/or beneficial, the attack script will be publicly released as well,” they added.

Vulnerable apps/clients and mitigation advice

After testing many consumer and enterprise-grade VPN solutions, they found that most VPNs for Apple devices (whether computers, iPhones or iPads) and Windows and Linux devices are vulnerable to one or both attacks. On Android, only a quarter or so VPN apps are vulnerable – likely do to a “carefully designed” API.

Built-in VPN clients of Windows, macOS, and iOS are also vulnerable, as are some on Linux.

The researchers say that they are not aware of the vulnerabilities being exploited in the wild, but also noted that it would be difficult to discover if they were.

They notified a bunch of VPN vendors about the vulnerabilities they found. Some of those vendors have already squashed the bugs without mentioning them in the update release notes (to comply with the researchers’ request of keeping them secret until their research had been published).

A full list of tested VPN apps on various devices is available at the end of the researchers’ paper, so you might want to check whether the one you use in on that list and, if it is and it’s vulnerable, check whether the vendor has fixed the bugs. If that information is not publicly available, you may want to contact the vendor’s tech support and ask.

“Some example patched VPNs are Mozilla VPN, Surfshark, Malwarebytes, Windscribe (can import OpenVPN profiles), and Cloudflare’s WARP,” the researchers shared.

Cisco has confirmed that its Cisco Secure Client and AnyConnect Secure Mobility Client for Linux, macOS, and Windows are vulnerable to CVE-2023-36672, but only in a specific, non-default configuration. Mullvad says only its iOS app is vulnerable to the LocalNet attack.

“If updates for your VPN are not available, you can mitigate the LocalNet attack by disabling local network access. You can also mitigate attacks by assuring websites use HTTPS, which many websites nowadays support,” the researchers advised.