The security research team has discovered a total of two attacks, the first is LocalNet which can be exploited when a user connects to an untrusted WiFi network, and the second is called ServerIP which can be exploited on untrusted WiFi networks as well. reliable, and even in Internet operators. What both attacks do is manipulate the routing table of the victim, to trick the VPN client and send traffic out of the protected VPN tunnel. For this reason, a cybercriminal could read and intercept the transmitted traffic.
Under normal conditions, the client’s routing table causes all network traffic to be sent directly through the VPN tunnel protected by encryption, however, many VPN clients add exceptions to send two types of traffic out of the tunnel. All traffic sent to and from the local network will be outside the tunneland also everything traffic to and from the VPN server.
The first rule in the routing table allows that, while we are connected to the VPN server, we can communicate with the computers on the local network without problems. That is, a user could be connected to the VPN server, but still have access to the local network to print, exchange files over SMB, etc. The second rule ensures that there is no routing loop, that is, already encrypted VPN packets are not re-encrypted.
In the two attacks that have been discovered, what they do is precisely exploit these two exceptions in the routing table, with the aim of diverting traffic out of the VPN tunnel and stealing information.
LocalNet Attack
This attack can be exploited very easily when a user connects to an untrusted WiFi network, either open or with WPA2/WPA3 encryption. If a cybercriminal acts like a malicious Wi-Fi or wired network, and tricks the victim into connecting to this network, he will be able to carry out the attack. For example, if a cybercriminal clones a public network, when the victim connects to this malicious network, the cybercriminal could assign a public IP address with its corresponding subnet, in order to later inadvertently filter all traffic.
In the image above, you can see that the cybercriminal provides the victim with an IP address of 1.2.3.0/24, and establishes the VPN tunnel successfully. Because this public subnet has been provided to you as if it were local, the victim will be able to access this subnet without needing to tunnel the traffic, but rather send it through the “local network” without encrypting the traffic, so the data is compromised.
The cybercriminal could assign larger subnets to the local network, in order to filter almost all of the victim’s traffic. The objective of this attack is to filter all traffic outside the VPN tunnel, and a denial of service attack could even be made so that the victim does not have Internet connectivity. The team of researchers has tested more than 66 VPN apps on five operating systems, and found that almost all iOS VPN apps are vulnerable, most on Windows and Linux are vulnerable, and only 20% are vulnerable on Android. .
To defend against this attack, the VPN app should automatically disable access to the local network when the local network uses public IPs.
ServerIP attack
In this attack, the attacker could spoof DNS responses before the VPN tunnel is established, and be able to see all traffic to the VPN server. In this case, the cybercriminal could also act as a Wi-Fi or wired network to carry out the attack, and a malicious Internet operator could do it on a large scale without much trouble. The idea is that the attacker spoofs the IP address of the VPN server, for example, if the VPN server has a certain hostname that points to 2.2.2.2, then the attacker could change this IP address to his own which is 1.2. 3.4, so that the VPN client connects to the attacker, and the latter in turn connects to the VPN service, “sneaking” into the communication medium without the client’s knowledge. Of course, all the traffic it receives from the VPN client will be forwarded to the real VPN server so that the client believes that the connection was successful.
When the victim visits a web, it will send it to 1.2.3.4 instead of the “real” VPN server, and because of the routing rule to prevent packets from being re-encrypted at the VPN server, the request is sent out of the Protected VPN tunnel, so all traffic is compromised.
The research team has discovered that the VPN clients built into Windows, macOS and iOS are vulnerable. Android 12 and above is not affected by this issue. Furthermore, quite a few VPNs on Linux are also vulnerable. Another important aspect is that most VPN services use a domain to establish the connection, instead of using a public IP address, therefore, they could be affected by this attack.
To prevent this attack, VPN clients must update and send all traffic through the VPN tunnel, except traffic generated by the application itself.
In the following video you can see a demonstration of how the attacks would be carried out:
As you can see, most VPNs are in jeopardy due to these security flaws, and it is that they could compromise our privacy and security quite easily. A very powerful computer is not necessary, anyone with access to the network can carry out these attacks, and they are independent of the VPN protocol used, since the encryption or the establishment of the connection are not attacked, but rather the routing table.
Has the problem been corrected yet?
In order to protect users, the corresponding security updates have been released days ago during a coordinated 90-day release, in collaboration with CERT/CC and various VPN providers. For example, Mozilla VPN, Surfshark, Malwarebytes, Windscribe, and Cloudflare’s WARP are already patched. Very soon many other companies will also release patches to fix or mitigate the problem on the VPN client side. In the event that you do not have updates to your VPN, the LocalNet attack could be mitigated by disabling access to the local network. Of course, the problem is mitigated by always using HTTPS for all communications, but unfortunately only websites that have HSTS guarantee that the connection will always be over HTTPS.
While most manufacturers and companies have reacted very quickly to solve this problem, we must emphasize that Microsoft does not plan to release any patch to fix this vulnerability., because they believe that this is not really a bug, that it is behavior by design and that there is no way information can be leaked once the tunnel has been established. The research team has shown that this is not true, and they believe that Microsoft has misunderstood the attacks.
In the case of DNS, taking into account that the majority of requests still use pure DNS and not the private alternatives like DNS over TLS or DNS over HTTPSIn this case, the solution would be to use DoT or DoH to protect ourselves and prevent a cybercriminal from seeing and manipulating the DNS requests we make. In many cases, VPNs are used to encapsulate other protocols that are not secure, such as RDP, FTP, or Telnet among others. In these cases, a cybercriminal could remove the protection offered by VPNs, and get hold of the access credentials of these insecure protocols, therefore, you must be very careful from now on.
We recommend you visit the official website of this TunnelCrack vulnerability where you will find all the technical details, including the paper with all the research and tests of the different VPN services.
