Two vulnerabilities found in popular business VPN solutions could allow hackers to divert traffic outside a VPN tunnel, among other things. 

A new research paper, recently published by a group of authors from different universities around the world, outlined two vulnerabilities affecting Cisco routers were mentioned - CVE-2023-36672, and CVE-2023-36673. 

The flaws, collectively titled TunnelCrack, affect Cisco Secure Client AnyConnect VPN for iOS regardless of client configuration.

Manipulating routing exceptions

The paper, titled Bypassing tunnels: “Leaking VPN client traffic by abusing routing tables” was written by Nian Xue of the New York University, together with Yashaswi Malla, Zihang Xia, and Christina Popper of the New York University Abu Dhabi, and Mathy Vanhoef from the imec-DistriNet, KU Leuven.

“Our first set of vulnerabilities, called LocalNet attacks, can be exploited when a user connects to an untrusted Wi-Fi network,” one of the researchers - Mathy Vanhoef - told The Register. “Our second set of vulnerabilities, called ServerIP attacks, can be exploited by untrusted Wi-Fi networks and by malicious Internet service providers. Both attacks manipulate the victim's routing table to trick the victim into sending traffic outside the protected VPN tunnel, allowing an adversary to read and intercept transmitted traffic.”

Soon after the paper was published, Cisco sounded the alarm, saying the vulnerabilities can be abused by an attacker to “manipulate routing exceptions that are maintained by the client to redirect traffic to a device that they control without the benefit of the VPN tunnel encryption." However, no patch seems to be required, as Cisco only said that a few properly configured firewall rules should do the trick.

"For customers who have configured clients to allow local LAN access, Cisco recommends applying client firewall rules to allow access to necessary resources only," the networking giant said.

Via: The Register