Context Navigation

Statement regarding TunnelCrack vulnerabilities

Background

In the recent findings collectively named TunnelCrack, Mathy Vanhoef et al highlight shortcomings in the IP networking stack that affect VPNs. See https://tunnelcrack.mathyvanhoef.com/ for details. These shortcomings are not unique to OpenVPN, they are inherent to routing-based VPN solutions in general.

The basic premise of the LocalNet vulnerability concerns the local network address being manipulated by an attacker, presenting the possibility of traffic inadvertently bypassing the VPN. The ServerIP vulnerability is an attack allowing traffic intended for a specific IP address to bypass the VPN.

On most networks, you won't experience problems. However, issues may arise on untrusted networks, particularly those where malicious actors can control the local DHCP server or router or when using an untrusted DNS resolver.

Mitigation

OpenVPN does support the block-local flag to the --redirect-gateway and --redirect-private options to mitigate the problem by routing the local network IPs into the VPN tunnel. In its current implementation it is however not completely effective in protecting against all possible LocalNet attacks.

OpenVPN apps on Android are not affected by these vulnerabilities. However, other supported platforms leave room for sufficiently sophisticated attacks.

The OpenVPN community is committed to ensuring that VPN users stay safe even on untrusted networks. We're therefore working on implementing mitigations on the client side to resolve these issues. These mitigations will have as goal to ensure traffic stays within the VPN context and does not leak outside of it. Due to differences in operating systems and how they handle certain aspects of IP networking, the mitigations may be implemented differently on the different platforms, but achieve that same goal. Currently, the idea is to ensure that the "block-local" flag will really block any local networks on all platforms.

Note regarding TunnelVision

TunnelVision leverages on DHCP using option 121 to push routes to client computers. This can lead to traffic being guided away from the VPN. It is very similar to what happens with TunnelCrack.

Last modified 3 months ago Last modified on 05/08/24 11:24:58

Download in other formats:

Plain Text