TunnelCrack: Widespread design flaws in VPN clients - bleh.au

What are TunnelCrack vulnerabilities? * Two widespread security vulnerabilities in VPNs can be abused by an adversary to leak traffic outside the VPN tunnel. * The two vulnerabilities are called the LocalNet and ServerIP attack. How do the LocalNet and ServerIP attacks work? LocalNet attack: * The adversary acts as a malicious Wi-Fi or Ethernet network and tricks the victim into connecting to it. * Once connected, the adversary assigns a public IP address and subnet to the victim. * The adversary then tells the victim that the local network is using this subnet, which means that IP addresses in this range are directly reachable in the local network. * When the victim now visits a website with an IP address in this range, the web request will be sent outside the protected VPN tunnel. * 66+ VPNs on five platforms were tested and found that all VPN apps on iOS are vulnerable. Additionally, all but one VPN client on macOS is vulnerable, on Windows a large majority of VPNs are vulnerable, and on Linux more than one-third are vulnerable. Interestingly, VPN apps on Android are typically the most secure, with one-quarter being vulnerable to the LocalNet attack. ServerIP attack: * The adversary abuses the observation that many VPNs don’t encrypt traffic towards the IP address of the VPN server. This is done to avoid re-encryption of packets. * The adversary first spoofs the DNS reply for the VPN server to return the IP address of a website that they control. * The victim will then connect with the VPN server at this IP address. * To assure the victim still successfully creates a VPN connection, the adversary redirects this traffic to the real VPN server. * While establishing the VPN connection, the victim will add a routing rule so that all traffic to the VPN server, in this case the spoofed IP address, is sent outside the VPN tunnel. * When the victim now visits a website with the IP address of the VPN server, the web request is sent outside the protected VPN tunnel. * Built-in VPN clients of Windows, macOS, and iOS are vulnerable. Android 12 and higher is not affected. A significant number of Linux VPNs are also vulnerable. Summary of what VPNs are vulnerable to TunnelCrack * VPNs for iPhones, iPads, MacBooks, and macOS are extremely likely to be vulnerable * A majority of VPNs on Windows and Linux are vulnerable * Android is the most secure with roughly one-quarter of VPN apps being vulnerable. * The discovered vulnerabilities can be abused regardless of the security protocol used by the VPN. How can I protect myself from TunnelCrack vulnerabilities? To prevent the attack, VPN clients should be updated to send all traffic through the VPN tunnel, except traffic generated by the VPN app itself.