Cisco Security Advisory
Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing Tables Affecting Cisco AnyConnect Secure Mobility Client and Cisco Secure Client
-
On August 8, 2023, the paper Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing Tables was made public. The paper discusses two attacks that can cause VPN clients to leak traffic outside the protected VPN tunnel. In both instances, an attacker can manipulate routing exceptions that are maintained by the client to redirect traffic to a device that they control without the benefit of the VPN tunnel encryption.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-leak-Sew6g2kd
-
Vulnerable Products
These attacks affect Cisco Secure Client AnyConnect VPN for iOS regardless of client configuration.
These attacks affect the following products if they are deployed with an affected configuration:
- Cisco AnyConnect Secure Mobility Client for Linux
- Cisco AnyConnect Secure Mobility Client for MacOS
- Cisco AnyConnect Secure Mobility Client for Windows
- Cisco Secure Client for Linux
- Cisco Secure Client for MacOS
- Cisco Secure Client for Windows
For information about affected configurations, see the Details section of this advisory.
Products Confirmed Not Vulnerable
Cisco has confirmed that these attacks do not affect Cisco Secure Client AnyConnect for Android.
-
CVE-2023-36672
For the LocalNet attacks to be successful, a client must be configured to allow local LAN access. The default policy for clients is to deny local LAN access. As a result, clients in a default configuration are not affected by the LocalNet attacks.
CVE-2023-36673
For the ServerIP attacks, customers who use the Umbrella Roaming Security module are protected against DNS spoofing attacks like the one described by CVE-2023-36673.
-
For customers who have configured clients to allow local LAN access, Cisco recommends applying client firewall rules to allow access to necessary resources only. For example, customers who need to allow access to printers on a client local LAN can enable Client Firewall for Local Printer Support, as outlined in the General VPN Setup chapter of the ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide. Similar firewall rules can be created for other local services that require access.
For customers who have not deployed the Umbrella Roaming Security Module, more information is available in the AnyConnect OpenDNS Roaming Security Module Deployment Guide.
-
The Cisco Product Security Incident Response Team is aware that proof-of-concept exploit code is available for the attacks that are described in this advisory. This was made available by the researcher at the following link: https://tunnelcrack.mathyvanhoef.com
-
These attacks were reported to Cisco by Dr. Mathy Vanhoef of New York University Abu Dhabi. Cisco would like to thank Dr. Vanhoef for his continued help and support.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Version Description Section Status Date 1.0 Initial public release. - Final 2023-AUG-08
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.