TunnelCrack VPN vulnerabilities

Summary

Fortinet is aware of a research article named TunnelCrack, published at Usenix [1], which describe the LocalNet and ServerIP attacks.

These attacks aim to leak VPN client traffic outside of the protected VPN tunnel when clients connect via untrusted networks, such as rogue Wi-Fi access points.

The LocalNet attack allows an attacker to force the usage of local network access features of the VPN to access unencrypted traffic.

The ServerIP attack allows an attacker to intercept traffic sent to a spoofed VPN gateway via DNS spoofing attacks.

These attacks do not enable the attacker to decrypt the encrypted traffic but rather will try to redirect the traffic through attacker controlled channels before the traffic is encrypted by the VPN.

Affected Products

None if properly configured: When connecting via an untrusted network, a VPN client should be configured according to recommendations for safety, and/or use secure communication protocols such as SSH/HTTPS that will prevent any spoofing attack. See solutions below.

Solutions

LocalNet attack

With default configuration, the VPN client allows reaching the local network without going through the VPN tunnel.

If the attacker does control the DNS (or is able to perform DNS spoofing attacks), he may attempt to redirect the remote traffic to a local IP.

The usage of HTTPS and certificate validation will raise alerts and prevent connections to malicious spoofed hosts.

SSLVPN:

To prevent it on non-https websites, users can enable "exclusive-routing" to make an SSL VPN Full Tunnel. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enabling-SSL-VPN-Full-Tunnel/ta-p/191848

IPsec:

The configuration where all the traffic goes inside the tunnel is not being affected by the LocalNet attack. https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPSec-dial-up-full-tunnel-with-FortiClient/ta-p/189452 https://community.fortinet.com/t5/FortiGate/Technical-Tip-Impossible-to-access-local-area-network-of-the/ta-p/244482

ServerIP attack

SSL VPN:

By default, HTTPS certificate check is done by FortiClient. It will detect DNS spoofing attempts and display a "Security Alert" pop up.

Only if "Do not alert when the certificate is invalid" is checked in the FortiClient parameters, the VPN user is at risk of the ServerIP attack.

IPsec:

The IPsec protocol performs mutual authentication to avoid spoofing of the gateway IP. (with the use of pre-shared key or certificate X.509)

Acknowledgement

Fortinet is pleased to thanks Mathy Vanhoef from imec-DistriNet, KU Leuven, Nian Xue from New York University and Yashaswi Malla, Zihang Xia and Christina Popper from New York University Abu Dhabi for their research.

Timeline

2023-11-02: Initial publication

References

• [1] Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing Tables
• https://papers.mathyvanhoef.com/usenix2023-tunnelcrack.pdf
• [2] TunnelCrack by KU Leuven, NYU, and NYU Abu Dhabi
• https://tunnelcrack.mathyvanhoef.com/