| Introduction | Researchers recently discovered that several vulnerabilities affecting most VPN products on the market can be used by attackers to read user traffic, steal user information, and even attack user devices. |
The attack we performed is computationally inexpensive, meaning anyone with appropriate network access can perform the attack, and the attack is independent of the VPN protocol used," said Nian Xue, NYU Abu Dhabi, NYU Abu Dhabi Yashaswi Malla, Zihang Xia and Christina Pöpper of the University of Belgium and Mathy Vanhoef of the University of Leuven in the Netherlands claimed in the paper.
"Even if the victim uses another layer of encryption, such as HTTPS, our attack will reveal which websites the user is visiting, which can be a significant privacy risk."
VPN vulnerabilities and possible attacks
These disclosed vulnerabilities have received four different CVE numbers: CVE-2023-36672, CVE-2023-35838, CVE-2023-36673, and CVE-2023-36671. Since there are so many vulnerable solutions on the market, these numbers will represent each vulnerability independently of the affected solution/codebase.
The first two vulnerabilities can be exploited in a LocalNet (local network) attack, that is, when the user is connected to an attacker's Wi-Fi or Ethernet network. The latter two vulnerabilities can be exploited in ServerIP attacks, whether the attacker is an attacker running an untrusted Wi-Fi/Ethernet network or a malicious Internet Service Provider (ISP).
"Both attacks manipulate the victim's routing table, tricking the victim into sending traffic outside of the protected VPN tunnel so that the attacker can read and intercept the transmitted traffic," the researchers said.
The researchers provided video demonstrations of the three attacks (https://www.youtube.com/watch?v=vOawEz39yNY&t=52s). They also released scripts that can be used to check whether VPN client software is vulnerable .
"Once enough devices have been patched, the attack scripts will also be released publicly if deemed necessary and/or advantageous," they added.
Vulnerable applications/client software and mitigation recommendations
After testing numerous consumer and business-grade VPN solutions, researchers found that most VPNs for Apple devices (whether they are Macs, iPhones, or iPads), as well as VPNs for Windows and Linux devices, are susceptible to one or two of the above kind of attack. On Android, only about a quarter of VPN apps are vulnerable, most likely due to "well-crafted" APIs.
The built-in VPN clients of Windows, macOS, and iOS are also vulnerable, as are some VPN clients on Linux.
The researchers said they were unaware of the vulnerabilities being exploited in the wild, but noted that it would be difficult to detect whether they were exploited vulnerabilities.
They have notified a bunch of VPN providers about the discovered vulnerabilities. Some of these vendors have addressed the vulnerabilities but did not mention them in the update release notes (to comply with the researchers' request to keep their findings confidential until they are published).
A full list of VPN apps tested on various devices is included at the end of the researchers' paper, so you might want to check if the VPN app you're using is on that list; if it is, and it's vulnerable, you should Verify that the vendor has fixed the vulnerability. If this information is not available, you may need to contact the vendor's technical support and ask.
"Some of the VPNs that have been patched include Mozilla VPN, Surfshark, Malwarebytes, Windscribe (which can import OpenVPN configuration files), and Cloudflare's WARP," the researchers said.
Cisco confirmed that its Cisco Secure Client and AnyConnect Secure Mobility Client for Linux, macOS, and Windows are vulnerable to CVE-2023-36672, but only in specific non-default configurations. Mullvad said only its iOS app was vulnerable to LocalNet.
Researchers advise: "If your VPN has not been updated accordingly, you can counter the LocalNet attack by disabling local network access. You can also counter the attack by ensuring that the website uses HTTPS, which many websites now support."