6.3 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
6.4 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
21.5%
An issue was discovered in the Clario VPN client through 5.9.1.1662 for
macOS. The VPN client insecurely configures the operating system such that
all IP traffic to the VPN server’s IP address is sent in plaintext outside
the VPN tunnel even if this traffic is not generated by the VPN client.
This allows an adversary to trick the victim into sending plaintext traffic
to the VPN server’s IP address and thereby deanonymize the victim. NOTE:
the tunnelcrack.mathyvanhoef.com website uses this CVE ID to refer more
generally to “ServerIP attack for only traffic to the real IP address of
the VPN server” rather than to only Clario.
Author | Note |
---|---|
mdeslaur | other VPN software may also be affected. See whitepaper for the complete list. |
evancaville | as of 2024-02-05, there doesn’t appear to be an upstream fix available for network-manager-openvpn, openvpn packages. as of 2024-02-29, there doesn’t appear to be an upstream fix available for network-manager-pptp, pptp-linux. |
mdeslaur | as of 2024-04-15, this CVE appears to be specific to the Clario VPN client, marking all Ubuntu packages as not-affected |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | openconnect | < any | UNKNOWN |
ubuntu | 20.04 | noarch | openconnect | < any | UNKNOWN |
ubuntu | 22.04 | noarch | openconnect | < any | UNKNOWN |
ubuntu | 23.10 | noarch | openconnect | < any | UNKNOWN |
ubuntu | 24.04 | noarch | openconnect | < any | UNKNOWN |
ubuntu | 16.04 | noarch | openconnect | < any | UNKNOWN |
ubuntu | 22.04 | noarch | softether-vpn | < any | UNKNOWN |
ubuntu | 23.10 | noarch | softether-vpn | < any | UNKNOWN |
ubuntu | 24.04 | noarch | softether-vpn | < any | UNKNOWN |
launchpad.net/bugs/cve/CVE-2023-36671
nvd.nist.gov/vuln/detail/CVE-2023-36671
openvpn.net/security-advisory/statement-regarding-tunnelcrack-vulnerabilities/
papers.mathyvanhoef.com/usenix2023-tunnelcrack.pdf
security-tracker.debian.org/tracker/CVE-2023-36671
tunnelcrack.mathyvanhoef.com/details.html
www.cve.org/CVERecord?id=CVE-2023-36671
www.softether.org/9-about/News/905-TunnelCrack
6.3 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
6.4 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
21.5%