Full Report
VPNs are used in order to prevent snooping or internet tracking. In this article, the authors go over widespread issues they found with VPN apps. When a user joins a network, the subnet is set. However, there is no validation on whether this IP address is proper. If the IP address of a domain is 1.2.3.4, then setting the subnet to 1.2.3.0/24 will allow for the This happens because the VPN app allows direct access to the local network while using the VPN. What happens? We can force the VPN to send traffic outside of the tunnel by sending it to a local IP. This effected all iOS apps, many on MacOS, Windows and Linux. The second attack abuses the fact that most VPNs do not encrypt traffic towards the IP of the VPN server. The traffic should already be encrypted, so this shouldn't matter. This is vulnerable to a classic DNS issue of spoofing the response for a domain to be a different IP.
Analysis Summary
# Vulnerability: TunnelCrack - Widespread VPN Design Flaws Allowing Traffic Leakage
## CVE Details
- CVE ID: Not explicitly provided in context, but refers to two widespread vulnerabilities (LocalNet and ServerIP attacks).
- CVSS Score: Not explicitly provided in context.
- CWE: Related to insecure routing/network handling (e.g., CWE-285: Improper Privilege Management on Routing/Forwarding).
## Affected Systems
- Products: Virtually all tested VPN applications across major operating systems.
- Versions: Vulnerabilities existed in VPN clients for over two decades; specific vulnerable versions are not enumerated, but fixes are now available for many products.
- Configurations: Affected all tested operating systems, with the highest prevalence on iOS/iPadOS/macOS, followed by Windows and Linux. Android was the most secure, with only a quarter of apps affected. The attacks work regardless of the VPN security protocol used.
## Vulnerability Description
TunnelCrack describes two distinct, widespread design flaws in VPN clients that allow adversaries to force traffic outside the protected tunnel:
1. **LocalNet Attack (Routing Manipulation via Subnet/IP Validation):** VPN clients often fail to validate the validity of the local network subnet established upon connection. By sending traffic to a local IP address (e.g., 1.2.3.4) while setting the subnet improperly (e.g., 1.2.3.0/24), the attacker can trick the VPN client into sending traffic directly to the local network interface rather than through the encrypted tunnel. This allows traffic leakage to an adversary on the local network (e.g., untrusted Wi-Fi).
2. **ServerIP Attack (DNS Spoofing via Server IP):** This attack abuses the fact that traffic destined for the VPN server's IP address is typically not encrypted by the VPN client itself (as encryption is expected to happen before this point). An attacker can spoof the DNS response for a domain, directing the victim's client to send traffic to an IP address controlled by the attacker, thereby bypassing encryption for that specific connection, even if the VPN tunnel is otherwise active.
## Exploitation
- Status: Not known to be exploited in the wild, but Proof-of-Concept (PoC) demonstrations exist showing traffic interception (leaking usernames/passwords to insecure sites) and website visiting identification.
- Complexity: Low (exploiting LocalNet via untrusted Wi-Fi seems low complexity).
- Attack Vector: Network (LocalNet attack on untrusted Wi-Fi), Adjacent (LocalNet attack), or Network (ServerIP attack by malicious ISP).
## Impact
- Confidentiality: High – Sensitive data (usernames, passwords) and website visiting patterns can be exposed, especially when communicating over previously insecure protocols (HTTP, RDP, FTP).
- Integrity: Medium – Data sent over unencrypted protocols can be modified in transit.
- Availability: Low to Medium – Variants of the LocalNet attack could potentially be used to disrupt services (e.g., blocking a security camera notification).
## Remediation
### Patches
Patches were prepared via a coordinated 90-day disclosure. Users are strongly advised to update their VPN software.
Examples of updated VPNs include:
* Mozilla VPN
* Surfshark
* Malwarebytes VPN
* Windscribe (for OpenVPN profiles)
* Cloudflare WARP
### Workarounds
* **LocalNet Mitigation:** Disable local network access within the VPN application settings, if available.
* **HTTPS Enforcement:** Ensure that websites use HTTPS (preferably enforced via HSTS), as this protects traffic even if the VPN tunnel protection is bypassed for web browsing. Browsers now warn users when connecting via HTTP.
* **Protocol Security:** Recognize that these attacks expose older/insecure protocols (RDP, FTP) to interception.
## Detection
- Indicators of Compromise: Unencrypted traffic destined for local network IP ranges appearing on an attacker-controlled interface, or abnormal routing table entries immediately after VPN connection.
- Detection methods and tools: Not specified, but monitoring network interfaces for traffic destined for local IPs leaking outside the expected tunnel interface could be indicative. Specific analysis of routing table changes upon VPN activation/deactivation may reveal manipulation.
## References
- Vendor advisories: See specific vendor advisories corresponding to VPN updates released around August 2023.
- Relevant links - defanged:
* Project Website: hxxps://tunnelcrack.mathyvanhoef.com/
* Research Paper presentation: hxxps://www.usenix.org/conference/usenixsecurity21/presentation/oltrogge (Cited for background on prior research, not the main paper)