Lucene search

Ubuntu.comUB:CVE-2023-36672

HistoryAug 09, 2023 - 12:00 a.m.

CVE-2023-36672

2023-08-0900:00:00

ubuntu.com

cve-2023-36672

clario vpn

macos

local network

plaintext traffic

adversary

vpn tunnel

security vulnerability

whitepaper

network-manager

openvpn

wireguard

network security

5.7 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.7%

JSON

An issue was discovered in the Clario VPN client through 5.9.1.1662 for
macOS. The VPN client insecurely configures the operating system such that
traffic to the local network is sent in plaintext outside the VPN tunnel
even if the local network is using a non-RFC1918 IP subnet. This allows an
adversary to trick the victim into sending arbitrary IP traffic in
plaintext outside the VPN tunnel. NOTE: the tunnelcrack.mathyvanhoef.com
website uses this CVE ID to refer more generally to “LocalNet attack
resulting in leakage of traffic in plaintext” rather than to only Clario.

Notes

Author	Note
mdeslaur	other VPN software may also be affected. See whitepaper for the complete list.
evancaville	as of 2024-02-05, there doesn’t appear to be an upstream fix available for network-manager-openvpn, openvpn packages. as of 2024-02-29, there doesn’t appear to be an upstream fix available for network-manager-pptp, pptp-linux. wireguard itself is not vulnerable, however the wg-quick tool includes local network access. See the wg-quick manpage and documentation on methods to disable this.
mdeslaur	as of 2024-04-15, this CVE appears to be specific to the Clario VPN client, marking all Ubuntu packages as not-affected

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchopenconnect< anyUNKNOWN
ubuntu16.04noarchopenconnect< anyUNKNOWN
ubuntu22.04noarchsoftether-vpn< anyUNKNOWN
ubuntu23.10noarchsoftether-vpn< anyUNKNOWN
ubuntu24.04noarchsoftether-vpn< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	openconnect	< any	UNKNOWN
ubuntu	16.04	noarch	openconnect	< any	UNKNOWN
ubuntu	22.04	noarch	softether-vpn	< any	UNKNOWN
ubuntu	23.10	noarch	softether-vpn	< any	UNKNOWN
ubuntu	24.04	noarch	softether-vpn	< any	UNKNOWN

References

launchpad.net/bugs/cve/CVE-2023-36672

nvd.nist.gov/vuln/detail/CVE-2023-36672

openvpn.net/security-advisory/statement-regarding-tunnelcrack-vulnerabilities/

papers.mathyvanhoef.com/usenix2023-tunnelcrack.pdf

security-tracker.debian.org/tracker/CVE-2023-36672

tunnelcrack.mathyvanhoef.com/details.html

www.cve.org/CVERecord?id=CVE-2023-36672

www.softether.org/9-about/News/905-TunnelCrack

5.7 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.7%

JSON

Related for UB:CVE-2023-36672