TunnelCrack: Widespread design flaws in VPN clients

⁨252⁩ ⁨likes⁩

Submitted ⁨⁨10⁩ ⁨months⁩ ago⁩ by ⁨Elephant0991@lemmy.bleh.au⁩ to ⁨technology@lemmy.world⁩

https://tunnelcrack.mathyvanhoef.com/

What are TunnelCrack vulnerabilities?

Two widespread security vulnerabilities in VPNs can be abused by an adversary to leak traffic outside the VPN tunnel.
The two vulnerabilities are called the LocalNet and ServerIP attack.

How do the LocalNet and ServerIP attacks work?

LocalNet attack:

The adversary acts as a malicious Wi-Fi or Ethernet network and tricks the victim into connecting to it.
Once connected, the adversary assigns a public IP address and subnet to the victim.
The adversary then tells the victim that the local network is using this subnet, which means that IP addresses in this range are directly reachable in the local network.
When the victim now visits a website with an IP address in this range, the web request will be sent outside the protected VPN tunnel.
66+ VPNs on five platforms were tested and found that all VPN apps on iOS are vulnerable. Additionally, all but one VPN client on macOS is vulnerable, on Windows a large majority of VPNs are vulnerable, and on Linux more than one-third are vulnerable. Interestingly, VPN apps on Android are typically the most secure, with one-quarter being vulnerable to the LocalNet attack.

ServerIP attack:

The adversary abuses the observation that many VPNs don’t encrypt traffic towards the IP address of the VPN server. This is done to avoid re-encryption of packets.
The adversary first spoofs the DNS reply for the VPN server to return the IP address of a website that they control.
The victim will then connect with the VPN server at this IP address.
To assure the victim still successfully creates a VPN connection, the adversary redirects this traffic to the real VPN server.
While establishing the VPN connection, the victim will add a routing rule so that all traffic to the VPN server, in this case the spoofed IP address, is sent outside the VPN tunnel.
When the victim now visits a website with the IP address of the VPN server, the web request is sent outside the protected VPN tunnel.
Built-in VPN clients of Windows, macOS, and iOS are vulnerable. Android 12 and higher is not affected. A significant number of Linux VPNs are also vulnerable.

Summary of what VPNs are vulnerable to TunnelCrack

VPNs for iPhones, iPads, MacBooks, and macOS are extremely likely to be vulnerable
A majority of VPNs on Windows and Linux are vulnerable
Android is the most secure with roughly one-quarter of VPN apps being vulnerable.
The discovered vulnerabilities can be abused regardless of the security protocol used by the VPN.

How can I protect myself from TunnelCrack vulnerabilities?

To prevent the attack, VPN clients should be updated to send all traffic through the VPN tunnel, except traffic generated by the VPN app itself.

source

Comments

Sort:hotnew top

nickhammes@lemmy.world ⁨10⁩ ⁨months⁩ ago
Look at the last three pages of their paper to see if your VPN is affected.

source
- myrmidex@slrpnk.net ⁨10⁩ ⁨months⁩ ago
  Quite the emotional roller coaster this was… Went from ‘uh-oh’ all the way over to ‘WHATDOTHETRIANGLESMEAN’ and back round to ‘cool bro’
  
  source
- Cheems@lemmy.world ⁨10⁩ ⁨months⁩ ago
  What if yours isn’t on the list at all
  
  source
  - BlackEco@lemmy.blackeco.com ⁨10⁩ ⁨months⁩ ago
    Consider them as potentially affected and hope the vendor checks if their client is vulnerable and releases a fix quickly.
    
    source
ThomasTheWankEngine@lemmy.world ⁨10⁩ ⁨months⁩ ago
To be fair, Apples VPN integration on iOS has been shit for a long time. From the top of my head:

Leaking IP addresses after connecting the VPN because it doesn’t close the sockets of existing connections

Randomly turning the VPN off when not actively in use

No Option whatsoever to force all traffic through the VPN.
source
gaylord_fartmaster@lemmy.world ⁨10⁩ ⁨months⁩ ago
Boy am I glad all of my VPN connections are running on Wireguard these days.

Well, except for my work laptop of course, running a less secure and overpriced proprietary VPN solution lol

source
- bdonvr@thelemmy.club ⁨10⁩ ⁨months⁩ ago
  As I understand it, WireGuard is impacted too. It seems to have more to do with your OS than the protocol used.
  
  source
- evatronic@lemm.ee ⁨10⁩ ⁨months⁩ ago
  “If we pay for it, we get a support contract, which means we can blame the vendor instead of ourselves!”
  
  – Corporate IT departments
  
  source
- porksandwich9113@lemmy.world ⁨10⁩ ⁨months⁩ ago
  Also glad I run wireguard for my homelab.
  
  Fortunately for my work connection, I work at the ISP I get my internet service from, so they just pipe my work VLAN to a port on my ONT and I don’t need a VPN.
  
  source
peopleproblems@lemmy.world ⁨10⁩ ⁨months⁩ ago
Well

that’s not good

source
kaitco@lemmy.world ⁨10⁩ ⁨months⁩ ago
Phew! Mine is secure. It’s the little things…

source
BlackEco@lemmy.blackeco.com ⁨10⁩ ⁨months⁩ ago
I’m not sure to understand correctly: does it only impact OpenVNP? Are Wireguard clients safe?

source
- nodsocket@lemmy.world ⁨10⁩ ⁨months⁩ ago
  Apparently the Wireguard client was secure on all platforms when tested using Surfshark.
  
  source
corsicanguppy@lemmy.ca ⁨10⁩ ⁨months⁩ ago
I like how VTun is still dead and still okay (aside from the one guy gaming the testing for karma).

source
1luv8008135@lemmy.world ⁨10⁩ ⁨months⁩ ago
And Ofcourse Nord is on the list.

source