How to fix TunnelCrack VPN leaks

What caused a mass vulnerability in VPN clients, and how to keep them working.

TunnelCrack vulnerabilities in VPN clients

The main purpose of a VPN is to encrypt your internet connection and protect your data from being intercepted, viewed and altered. The technology is used by companies to ensure secure remote working or communication between branches. For regular users, a VPN helps protect privacy and access content from a specific region. The recently discovered TunnelCrack vulnerabilities can be used to disrupt normal operation of VPNs and partially deprive users of protection. The problem affects most corporate and home user VPNs. What are the causes of those vulnerabilities, and how to stay protected?

How TunnelCrack works

If you connect to a malicious Wi-Fi hotspot or a malign ISP, it can send your computer or phone instructions that will allow some application traffic to bypass the VPN tunnel, making it open to analysis and modification. The attack works regardless of what specific VPN protocol the connection uses. But redirecting all traffic in this way is impractical, so the attackers have to limit themselves to a set list of websites and servers they want to spy on.

The attack exploits the exclusions list that can be set in all VPN clients. Each exclusion directs some traffic past the encrypted VPN tunnel. This feature is needed in at least two cases. First, to keep traffic between local devices out of the VPN tunnel. If your computer is streaming an image to your own TV over a local network, it does not need to be encrypted. Second, traffic already encrypted by the VPN client and destined for the VPN server should be routed past the VPN tunnel. Again, this is logical — if it is directed to the tunnel, it will go through another round of encryption.

The name given by the researchers to an attack on the first case is LocalNet (CVE-2023-36672 and CVE-2023-35838). A rogue router (for example, a Wi-Fi hotspot) feeds the victim incorrect network settings (routing tables) that represent public IP addresses of interest to the attackers as part of the local network. As a result, data exchanged between the victim and these addresses falls under the exclusions and bypasses the VPN tunnel.

An attack on the second case goes by the name of ServerIP (CVE-2023-36673 and CVE-2023-36671). Clients typically access a legitimate VPN server using a domain name. Manipulating the DNS server that the victim connects to, the attackers return an incorrect VPN server IP that matches the IP of the target resources they are interested in. Meanwhile, the cybercriminals retranslate VPN traffic to a real VPN server, and can modify or analyze incoming unencrypted traffic to the target IPs.

What to do as a VPN user

  • Check your VPN service for updates. Peruse the official website and contact technical support. It’s possible that your provider has already updated its applications and settings, so it may be enough to install an update to fix the problem. Note that there may not be an update for iOS due to VPN configuration restrictions on Apple’s side.
  • For services based on pure OpenVPN (of which there are plenty) you can use any OpenVPN client in which the vulnerabilities are fixed. The researchers recommend Windscribe.
  • Check the exclusions in the VPN service settings. If there is an option to “route local traffic without VPN” or “allow access to local network,” disable it. In other words, all traffic must go through the VPN. The obvious downside of this setting is that you won’t be able to log in from the computer to a local NAS or manage smart devices via Wi-Fi over a local network — the only way to do this will be through cloud services. Ideally, the setting to block local traffic should be applied only to public networks, outside the home. But such a nuanced configuration that allows different settings for different networks is not always possible in VPN clients.
  • Set up a secure DNS if you haven’t done so already. This will not only complicate ServerIP attacks, but generally improve network security. A secure DNS dovetails nicely with a VPN, the two should be used in tandem.

What to do as a corporate VPN administrator

  • Check if your VPN clients are exposed to this vulnerability. A manual testing method is described by the researchers on GitHub. Test all versions of VPN clients used in your company for all relevant platforms.
  • Request updates of vulnerable client applications from your corporate VPN provider. Updates were promptly released by Cisco, for example. Note that iOS updates may not be available due to Apple’s configuration restrictions.
  • Check the standard VPN client configuration on all computers. Often the default option is to block local network access, in which case a TunnelCrack attack will not be possible.
  • If you need to keep some local VPN-free traffic, say, to provide access to a printer over a local network at an employee’s home, create restrictive rules on each computer’s local firewall to allow only certain activities from a fixed list.
  • Use DNS security tools. These often form part of all-in-one corporate network security systems, but can also be purchased separately.