Lucene search

Ubuntu.comUB:CVE-2023-36671

HistoryAug 09, 2023 - 12:00 a.m.

CVE-2023-36671

2023-08-0900:00:00

ubuntu.com

clario vpn client

operating system

plaintext traffic

vpn server

ip address

vpn tunnel

deanonymize

adversary

cve-2023-36671

serverip attack

macos

network-manager-openvpn

openvpn

network-manager-pptp

pptp-linux

ubuntu

6.3 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

6.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.5%

JSON

An issue was discovered in the Clario VPN client through 5.9.1.1662 for
macOS. The VPN client insecurely configures the operating system such that
all IP traffic to the VPN server’s IP address is sent in plaintext outside
the VPN tunnel even if this traffic is not generated by the VPN client.
This allows an adversary to trick the victim into sending plaintext traffic
to the VPN server’s IP address and thereby deanonymize the victim. NOTE:
the tunnelcrack.mathyvanhoef.com website uses this CVE ID to refer more
generally to “ServerIP attack for only traffic to the real IP address of
the VPN server” rather than to only Clario.

Notes

Author	Note
mdeslaur	other VPN software may also be affected. See whitepaper for the complete list.
evancaville	as of 2024-02-05, there doesn’t appear to be an upstream fix available for network-manager-openvpn, openvpn packages. as of 2024-02-29, there doesn’t appear to be an upstream fix available for network-manager-pptp, pptp-linux.
mdeslaur	as of 2024-04-15, this CVE appears to be specific to the Clario VPN client, marking all Ubuntu packages as not-affected

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchopenconnect< anyUNKNOWN
ubuntu20.04noarchopenconnect< anyUNKNOWN
ubuntu22.04noarchopenconnect< anyUNKNOWN
ubuntu23.10noarchopenconnect< anyUNKNOWN
ubuntu24.04noarchopenconnect< anyUNKNOWN
ubuntu16.04noarchopenconnect< anyUNKNOWN
ubuntu22.04noarchsoftether-vpn< anyUNKNOWN
ubuntu23.10noarchsoftether-vpn< anyUNKNOWN
ubuntu24.04noarchsoftether-vpn< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	openconnect	< any	UNKNOWN
ubuntu	20.04	noarch	openconnect	< any	UNKNOWN
ubuntu	22.04	noarch	openconnect	< any	UNKNOWN
ubuntu	23.10	noarch	openconnect	< any	UNKNOWN
ubuntu	24.04	noarch	openconnect	< any	UNKNOWN
ubuntu	16.04	noarch	openconnect	< any	UNKNOWN
ubuntu	22.04	noarch	softether-vpn	< any	UNKNOWN
ubuntu	23.10	noarch	softether-vpn	< any	UNKNOWN
ubuntu	24.04	noarch	softether-vpn	< any	UNKNOWN

References

launchpad.net/bugs/cve/CVE-2023-36671

nvd.nist.gov/vuln/detail/CVE-2023-36671

openvpn.net/security-advisory/statement-regarding-tunnelcrack-vulnerabilities/

papers.mathyvanhoef.com/usenix2023-tunnelcrack.pdf

security-tracker.debian.org/tracker/CVE-2023-36671

tunnelcrack.mathyvanhoef.com/details.html

www.cve.org/CVERecord?id=CVE-2023-36671

www.softether.org/9-about/News/905-TunnelCrack

6.3 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

6.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.5%

JSON

Related for UB:CVE-2023-36671