Overview
On August 8, 2023, the security researcher Mathy Vanhoef presented several security issues affecting VPN clients under the name “TunnelCrack”. As outlined in Vanhoef’s advisory, “TunnelCrack” is comprised of four vulnerabilities:
CVE-2023-36672: LocalNet attack resulting in leakage of traffic in plaintext. The reference CVSS score is 6.8.
CVE-2023-35838: LocalNet attack resulting in the blocking of traffic. The reference CVSS score is 3.1.
CVE-2023-36673: ServerIP attack, combined with DNS spoofing, can leak traffic to an arbitrary IP address. The reference CVSS score is 7.4.
CVE-2023-36671: ServerIP attack where only traffic to the real IP address of the VPN server can be leaked. The reference CVSS score is 3.1.
These issues enumerate various ways that an adversary, with direct control over a network infrastructure, could manipulate VPN clients into sending traffic outside the protected VPN tunnel, e.g., via rogue access points or other untrusted networks. Encrypted traffic, such as HTTPS, remains secure and cannot be decrypted, even if an adversary manipulates the routing.
Mitigations
If a VPN client is configured to allow local network traffic, it is possible to create an environment where remote hosts appear to be reachable on the local network. In the “LocalNet” variant of TunnelCrack, traffic is sent directly instead of through the VPN tunnel.
An update of Sophos Connect Client is not required as the risk of exploitation is very low and easily mitigated.
LocalNet attack - ensure TLS is used on all services reachable via VPN
ServerIP attack - ensure the “Override hostname” value in the SSL VPN Settings is empty. The default value for this setting is empty.