cisco-sa-ac-leak-sew6g2kd
Vulnerability from csaf_cisco
Published
2023-08-08 15:00
Modified
2023-08-08 15:00
Summary
Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing Tables Affecting Cisco AnyConnect Secure Mobility Client and Cisco Secure Client
Notes
Summary
On August 8, 2023, the paper Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing Tables was made public. The paper discusses two attacks that can cause VPN clients to leak traffic outside the protected VPN tunnel. In both instances, an attacker can manipulate routing exceptions that are maintained by the client to redirect traffic to a device that they control without the benefit of the VPN tunnel encryption.
Vulnerable Products
These attacks affect Cisco Secure Client AnyConnect VPN for iOS regardless of client configuration.
These attacks affect the following products if they are deployed with an affected configuration:
Cisco AnyConnect Secure Mobility Client for Linux
Cisco AnyConnect Secure Mobility Client for MacOS
Cisco AnyConnect Secure Mobility Client for Windows
Cisco Secure Client for Linux
Cisco Secure Client for MacOS
Cisco Secure Client for Windows
For information about affected configurations, see the Details ["#details"] section of this advisory.
Products Confirmed Not Vulnerable
Cisco has confirmed that these attacks do not affect Cisco Secure Client AnyConnect for Android.
Details
CVE-2023-36672
For the LocalNet attacks to be successful, a client must be configured to allow local LAN access. The default policy for clients is to deny local LAN access. As a result, clients in a default configuration are not affected by the LocalNet attacks.
CVE-2023-36673
For the ServerIP attacks, customers who use the Umbrella Roaming Security module are protected against DNS spoofing attacks like the one described by CVE-2023-36673.
Recommendations
For customers who have configured clients to allow local LAN access, Cisco recommends applying client firewall rules to allow access to necessary resources only. For example, customers who need to allow access to printers on a client local LAN can enable Client Firewall for Local Printer Support, as outlined in the General VPN Setup chapter of the ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide ["https://www.cisco.com/c/en/us/td/docs/security/asa/asa915/asdm715/vpn/asdm-715-vpn-config/vpn-asdm-setup.html#ID-2188-000002c3__ID-2188-000002e5"]. Similar firewall rules can be created for other local services that require access.
For customers who have not deployed the Umbrella Roaming Security Module, more information is available in the AnyConnect OpenDNS Roaming Security Module Deployment Guide ["https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200940-Anyconnect-OpenDNS-Roaming-Security-Modu.html#anc18"].
Vulnerability Policy
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy ["http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Exploitation and Public Announcements
The Cisco Product Security Incident Response Team is aware that proof-of-concept exploit code is available for the attacks that are described in this advisory. This was made available by the researcher at the following link: https://tunnelcrack.mathyvanhoef.com ["https://tunnelcrack.mathyvanhoef.com"]
Source
These attacks were reported to Cisco by Dr. Mathy Vanhoef of New York University Abu Dhabi. Cisco would like to thank Dr. Vanhoef for his continued help and support.
Legal Disclaimer
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.
{
"document": {
"acknowledgments": [
{
"summary": "These attacks were reported to Cisco by Dr. Mathy Vanhoef of New York University Abu Dhabi. Cisco would like to thank Dr. Vanhoef for his continued help and support."
}
],
"category": "csaf_informational_advisory",
"csaf_version": "2.0",
"notes": [
{
"category": "summary",
"text": "On August 8, 2023, the paper Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing Tables was made public. The paper discusses two attacks that can cause VPN clients to leak traffic outside the protected VPN tunnel. In both instances, an attacker can manipulate routing exceptions that are maintained by the client to redirect traffic to a device that they control without the benefit of the VPN tunnel encryption.\r\n\r\n",
"title": "Summary"
},
{
"category": "general",
"text": "These attacks affect Cisco Secure Client AnyConnect VPN for iOS regardless of client configuration.\r\n\r\nThese attacks affect the following products if they are deployed with an affected configuration:\r\n\r\nCisco AnyConnect Secure Mobility Client for Linux\r\nCisco AnyConnect Secure Mobility Client for MacOS\r\nCisco AnyConnect Secure Mobility Client for Windows\r\nCisco Secure Client for Linux\r\nCisco Secure Client for MacOS\r\nCisco Secure Client for Windows\r\n\r\nFor information about affected configurations, see the Details [\"#details\"] section of this advisory.",
"title": "Vulnerable Products"
},
{
"category": "general",
"text": "Cisco has confirmed that these attacks do not affect Cisco Secure Client AnyConnect for Android.",
"title": "Products Confirmed Not Vulnerable"
},
{
"category": "general",
"text": "CVE-2023-36672\r\n\r\nFor the LocalNet attacks to be successful, a client must be configured to allow local LAN access. The default policy for clients is to deny local LAN access. As a result, clients in a default configuration are not affected by the LocalNet attacks.\r\n\r\nCVE-2023-36673\r\n\r\nFor the ServerIP attacks, customers who use the Umbrella Roaming Security module are protected against DNS spoofing attacks like the one described by CVE-2023-36673.",
"title": "Details"
},
{
"category": "general",
"text": "For customers who have configured clients to allow local LAN access, Cisco recommends applying client firewall rules to allow access to necessary resources only. For example, customers who need to allow access to printers on a client local LAN can enable Client Firewall for Local Printer Support, as outlined in the General VPN Setup chapter of the ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide [\"https://www.cisco.com/c/en/us/td/docs/security/asa/asa915/asdm715/vpn/asdm-715-vpn-config/vpn-asdm-setup.html#ID-2188-000002c3__ID-2188-000002e5\"]. Similar firewall rules can be created for other local services that require access.\r\n\r\nFor customers who have not deployed the Umbrella Roaming Security Module, more information is available in the AnyConnect OpenDNS Roaming Security Module Deployment Guide [\"https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200940-Anyconnect-OpenDNS-Roaming-Security-Modu.html#anc18\"].",
"title": "Recommendations"
},
{
"category": "general",
"text": "To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy [\"http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html\"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.",
"title": "Vulnerability Policy"
},
{
"category": "general",
"text": "The Cisco Product Security Incident Response Team is aware that proof-of-concept exploit code is available for the attacks that are described in this advisory. This was made available by the researcher at the following link: https://tunnelcrack.mathyvanhoef.com [\"https://tunnelcrack.mathyvanhoef.com\"]",
"title": "Exploitation and Public Announcements"
},
{
"category": "general",
"text": "These attacks were reported to Cisco by Dr. Mathy Vanhoef of New York University Abu Dhabi. Cisco would like to thank Dr. Vanhoef for his continued help and support.",
"title": "Source"
},
{
"category": "legal_disclaimer",
"text": "THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\r\n\r\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.",
"title": "Legal Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@cisco.com",
"issuing_authority": "Cisco PSIRT",
"name": "Cisco",
"namespace": "https://wwww.cisco.com"
},
"references": [
{
"category": "self",
"summary": "Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing Tables Affecting Cisco AnyConnect Secure Mobility Client and Cisco Secure Client",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-leak-Sew6g2kd"
},
{
"category": "external",
"summary": "Cisco Security Vulnerability Policy",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
},
{
"category": "external",
"summary": "General VPN Setup chapter of the ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide",
"url": "https://www.cisco.com/c/en/us/td/docs/security/asa/asa915/asdm715/vpn/asdm-715-vpn-config/vpn-asdm-setup.html#ID-2188-000002c3__ID-2188-000002e5"
},
{
"category": "external",
"summary": "AnyConnect OpenDNS Roaming Security Module Deployment Guide",
"url": "https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200940-Anyconnect-OpenDNS-Roaming-Security-Modu.html#anc18"
},
{
"category": "external",
"summary": "Security Vulnerability Policy",
"url": "http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html"
},
{
"category": "external",
"summary": "https://tunnelcrack.mathyvanhoef.com",
"url": "https://tunnelcrack.mathyvanhoef.com"
}
],
"title": "Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing Tables Affecting Cisco AnyConnect Secure Mobility Client and Cisco Secure Client",
"tracking": {
"current_release_date": "2023-08-08T15:00:00+00:00",
"generator": {
"date": "2023-08-08T15:24:29+00:00",
"engine": {
"name": "TVCE"
}
},
"id": "cisco-sa-ac-leak-Sew6g2kd",
"initial_release_date": "2023-08-08T15:00:00+00:00",
"revision_history": [
{
"date": "2023-08-08T15:03:09+00:00",
"number": "1.0.0",
"summary": "Initial public release."
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_family",
"name": "Cisco Secure Client",
"product": {
"name": "Cisco Secure Client ",
"product_id": "CSAFPID-109810"
}
}
],
"category": "vendor",
"name": "Cisco"
}
]
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.