Almost All VPNs Are Vulnerable to Traffic-Leaking TunnelCrack Attacks

Cyber Security Threat Summary:
Researchers from New York University, New York University Abu Dhabi, and KU Leuven University have discovered several vulnerabilities affecting most VPN products that can be exploited by attackers to read user traffic, steal user information, or attack user devices. The attacks, known as TunnelCrack attacks, are independent of the VPN protocol being used and can reveal which websites a user is visiting, posing a significant privacy risk even if the user is using additional encryption such as HTTPS. The vulnerabilities have been assigned CVE numbers: CVE-2023-36672, CVE-2023-35838, CVE-2023-36673, and CVE-2023-36671. They involve LocalNet and ServerIP attacks that manipulate the victim's routing table to divert traffic outside the protected VPN tunnel. Most VPNs for Apple devices, Windows, and Linux are vulnerable, while only a quarter of Android VPN apps are affected. The researchers have notified vendors, and some have already patched the vulnerabilities. VPN applications that have been patched and mitigated are:

  • Mozilla VPN
  • Surfshark
  • Malwarebytes
  • Windscribe (with the ability to import OpenVPN profiles)
  • Cloudflare's WARP
For more information and technical details the researchers findings can be found here in PDF format:

Security Officer Comments:
Four vulnerabilities collectively constitute the TunnelCrack attack, which allows attackers to manipulate routing tables to divert traffic away from the VPN tunnel, leading to potential exposure and interception of sensitive information. The vulnerabilities affect a wide range of VPN solutions and platforms, making them a significant concern for data security and user privacy -
  • CVE-2023-36672: This vulnerability is part of the TunnelCrack attack and can be exploited in a LocalNet attack scenario. In this attack, a user connects to a Wi-Fi or Ethernet network set up by an attacker. The vulnerability allows the attacker to manipulate the victim's routing table, redirecting traffic outside the protected VPN tunnel. This exposes transmitted traffic to interception.
  • CVE-2023-35838: Another vulnerability in the TunnelCrack attack, this one is also associated with the LocalNet attack. It shares the same characteristics, allowing an attacker to manipulate routing tables and divert traffic outside the VPN tunnel.
  • CVE-2023-36673: This CVE is related to the ServerIP attack, where attackers can exploit vulnerabilities when users are connected to untrusted Wi-Fi/Ethernet networks or malicious ISPs. The attack manipulates the victim's routing table to make them send traffic outside the VPN tunnel, enabling interception.
  • CVE-2023-36671: Similar to CVE-2023-36673, this vulnerability is part of the ServerIP attack. Attackers can use this vulnerability to trick users into sending their traffic outside the protected VPN tunnel, thus exposing it to interception.
Suggested Correction(s):
Mitigation strategies may vary depending on the specific VPN solution being used. Users should carefully review the recommendations provided by their VPN vendor and stay informed about updates and security advisories to ensure the security of their VPN connections.