TunnelCrack, a combination of two widespread security vulnerabilities in VPNs
Recently information was released about a series of vulnerabilities discovered, which were baptized under the name of "Tunnel Crack" and which are remarkably important, since they allow VPN attacks.
The essence of Tunnelcrack basically allows an attacker to control the access point of the victim redirect requests from the destination host to your server, without going through the VPN tunnel, which means that the attacker can organize the interception of the unencrypted traffic.
The central idea behind our attacks is to manipulate the VPN client into sending traffic out of the protected VPN tunnel. By doing so, the victim's traffic can be read and intercepted.
The researchers mention that an attack can be carried out, For example, when connecting via an unreliable internet provider or a wireless network deployed by the attackers. During their study they were able to collect the attack susceptibility of 67 VPN clients and concluded that the first attack method appears in all VPN clients tested for all desktop and mobile systems, iOS being the most susceptible with a score of 87%.
Our tests indicate that every VPN product is vulnerable on at least one device. We found that VPNs for iPhone, iPad, MacBook, and macOS are highly likely to be vulnerable, most VPNs on Windows and Linux are vulnerable, and Android is the most secure with about a quarter of VPN apps vulnerable.
Discovered vulnerabilities can be abused regardless of the security protocol used by the VPN. In other words, even VPNs that claim to use “military-grade encryption” or use self-developed encryption protocols can be attacked. The root cause of both vulnerabilities has been a part of VPNs since their first creation around 1996. This means that our vulnerabilities went unnoticed, at least publicly, for more than two decades.
About the identified attack methods the following are mentioned:
- LocalNet, which is based on the fact that most VPN clients allow direct access to the local network. The attack boils down to the fact that the attacker-controlled gateway gives the victim an IP address of the subnet in which the target host is located, whose traffic is to be intercepted. The user system's networking stack considers the host to be in direct range and routes traffic directly to the attacker's gateway instead of through the VPN.
- ServerIP, which his method is based on the fact that many VPN clients do not encrypt the traffic on the IP address of their VPN server in order to prevent the packets from being re-encrypted. The essence of the attack is that the attacker, who controls the local network and the DNS server, can assign an IP address to the domain whose requests are to be intercepted that matches the IP address of the VPN server. When the destination domain is accessed, the VPN client will assume that a VPN server is being accessed and will send packets through the VPN tunnel unencrypted.
It is mentioned that pto protect users and respecting the vulnerability disclosure process corresponding security updates were prepared in a coordinated collaboration with CERT/CC and various VPN providers. Among the patched VPNs mentioned are, for example, Mozilla VPN, Surfshark, Malwarebytes, Windscribe and Cloudflare's WARP.
As a secondary measure and/or in case the fixes are not available, it is mentioned that the LocalNet attack can be mitigated by disabling access to the local network. Attacks can also be mitigated by ensuring that websites use HTTPS, which many websites support today.
Finally if you are interested in knowing more about it, you can check the details in the following link