An issue has been discovered in the Avira Phantom VPN through version 2.23.1 for macOS. This vulnerability allows an adversary to trick a victim into sending traffic to arbitrary IP addresses in plaintext outside the virtual private network (VPN) tunnel, thereby potentially exposing sensitive data and communications.

The VPN client is found to insecurely configure the macOS operating system, such that all IP traffic to the VPN server's IP address is sent in plaintext outside the VPN tunnel, even if this traffic is not generated by the VPN client itself. The issue is compounded by the use of plaintext DNS to look up the VPN server's IP address.

Exploit Details

The ServerIP attack, when combined with DNS spoofing, makes it possible for an attacker to compromise the victim's traffic and redirect it to an IP address of their choice. By intercepting the DNS lookup and returning a forged IP address, the attacker can control the target's network routing and potentially gain access to sensitive data and communications.

Here's a code snipplet that demonstrates the insecure DNS lookup

import socket

hostname = "vpn.example.com"
ipv4_address = socket.getaddrinfo(hostname, None, socket.AF_INET)[][4][]
print("Insecurely looked-up VPN server IP address:", ipv4_address)

In this example, the socket.getaddrinfo() function is used to perform the insecure DNS lookup and retrieve the IPv4 address of the VPN server. An attacker could spoof the DNS response and replace the legitimate IP address with an arbitrary one.

1. Avira Phantom VPN Through 2.23.1 for macOS
2. tunnelcrack.mathyvanhoef.com - ServerIP Attack and DNS Spoofing

Note: The website tunnelcrack.mathyvanhoef.com uses the CVE ID CVE-2023-36673 to refer more generally to the "ServerIP attack, combined with DNS spoofing, that can leak traffic to an arbitrary IP address", not just for Avira Phantom VPN.

It is recommended that users of Avira Phantom VPN on macOS update their client software to the latest available version and follow best practices for securing their VPN connection. Organizations should monitor their VPN infrastructure for potential DNS spoofing attacks and ensure that proper security measures are in place.

Timeline

Published on: 08/09/2023 23:15:10 UTC
Last modified on: 10/31/2023 09:15:08 UTC