This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM VPN TunnelCrack vulnerability

Hi Sophos,

Do you have any information on all your products to the TunnelCrack VPN vulnerability? ref: tunnelcrack.mathyvanhoef.com/details.html   CVE numbers CVE-2023-36672CVE-2023-35838CVE-2023-36673 CVE-2023-36671

quick summary: two vulnerabilities are listed: Local traffic can be leaked in plain text, IP of VPN server can be spoofed. 

Regards

Damien



This thread was automatically locked due to age.
  • I have also already asked Sophos and created a support ticket for this.
    Please create a ticket as well.

  • Hello  

    Good day and thanks for reaching out to Sophos Community. 

    Could you share with us your caseID so we can also check back on our end. 

    Hi  ,

    I may recommend you to log a support ticket to have this further investigated and please feel free to share with us the caseID once you have it so we can track progress on our side.

    Many thanks for your time and patience and thank you for choosing Sophos. 

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • For me it seems this is a problem/vulnerabilitiy completely on client side - the routing is changed on client side so that the client don´t use the VPN anymore and instead send traffic directly. I don´t think this problem is directly related to Firewall/Sophos...

    regards

  • Accurate.  However, Sophos now provides their own VPN client, so they are going to most likely be vulnerable potentially in that sense.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Hi Team, 

    Many thanks for taking the time to share these caseIDs, we'll be tracking progress of these on our end. 

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • I now have a child case 06921669 in which Sophos UTM9 will be covered, while the parent case 06906552 will cover Sophos XG & Sophos Connect products

  • Thanks for taking the time to share it on the thread. 

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • So I have a reply to case 06921669 (just UTM):

    -----------

    Hi Damien,

    here is the detailed analysis .

     

    For UTM Site-to-site VPN client, while it’s not affected by the LocalIP Attacks, the ServerIP Attach could be an issue. With existing UTM configuration options, however, it can be remedied entirely when this is a concern.

     

    LocalNet Attacks

    As UTM is connected with physical Ethernet connections, there is no way for an adversary to add/modify UTM's internal routes as TunnelCrack paper suggested. It is possible to wire UTM to a wireless point. In this case, even if an adversary may be able to trick clients on the WIFI connection, it's within the WIFI, which should be addressed there, but UTM's routes will still not be affected.

     

    ServerIP Attacks

    It is unlikely that a UTM environment could be disrupted with a direct connection to the site-to-site VPN server. If this is the case, the UTM network is already in trouble. However, if it is possible for an adversary to spoof the DNS response to the client side of a UTM with a different IP address for the server UTM's URL, then the issue could be observed. In this case, the client UTM will send tunnel traffic including connection requests to a bad IP address. The good news is that there are two options within UTM that can be used to remedy this problem by avoiding client UTM to reply on DNS for server UTM's IP address.

    1. On the server UTM side, add the server UTM’s IP in "Override hostname" option when creating a site-to-site SSL connection, as shown below. With this setting, the connection file downloaded for the client will contain the server UTM's IP address instead of its URL so that the client doesn't need to contact DNS for the record. (Note: this setting will affect both Remote Access and Site-to-site VPN connections).



    2. On the client UTM side, add a new Network Definition for the server UTM’s URL with server’s IP address. Now, the client UTM will use this to get the server's IP address instead of querying DNS.




    Thanks,
    Bhagyesh Patel

    --------------

    I think these comments may also apply to SophosFirewallOS for site to site VPNs.

    So now just waiting on the Sophos Connect clients impact.