This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM VPN TunnelCrack vulnerability

Hi Sophos,

Do you have any information on all your products to the TunnelCrack VPN vulnerability? ref: tunnelcrack.mathyvanhoef.com/details.html   CVE numbers CVE-2023-36672CVE-2023-35838CVE-2023-36673 CVE-2023-36671

quick summary: two vulnerabilities are listed: Local traffic can be leaked in plain text, IP of VPN server can be spoofed. 

Regards

Damien



This thread was automatically locked due to age.
Parents
  • So I have a reply to case 06921669 (just UTM):

    -----------

    Hi Damien,

    here is the detailed analysis .

     

    For UTM Site-to-site VPN client, while it’s not affected by the LocalIP Attacks, the ServerIP Attach could be an issue. With existing UTM configuration options, however, it can be remedied entirely when this is a concern.

     

    LocalNet Attacks

    As UTM is connected with physical Ethernet connections, there is no way for an adversary to add/modify UTM's internal routes as TunnelCrack paper suggested. It is possible to wire UTM to a wireless point. In this case, even if an adversary may be able to trick clients on the WIFI connection, it's within the WIFI, which should be addressed there, but UTM's routes will still not be affected.

     

    ServerIP Attacks

    It is unlikely that a UTM environment could be disrupted with a direct connection to the site-to-site VPN server. If this is the case, the UTM network is already in trouble. However, if it is possible for an adversary to spoof the DNS response to the client side of a UTM with a different IP address for the server UTM's URL, then the issue could be observed. In this case, the client UTM will send tunnel traffic including connection requests to a bad IP address. The good news is that there are two options within UTM that can be used to remedy this problem by avoiding client UTM to reply on DNS for server UTM's IP address.

    1. On the server UTM side, add the server UTM’s IP in "Override hostname" option when creating a site-to-site SSL connection, as shown below. With this setting, the connection file downloaded for the client will contain the server UTM's IP address instead of its URL so that the client doesn't need to contact DNS for the record. (Note: this setting will affect both Remote Access and Site-to-site VPN connections).



    2. On the client UTM side, add a new Network Definition for the server UTM’s URL with server’s IP address. Now, the client UTM will use this to get the server's IP address instead of querying DNS.




    Thanks,
    Bhagyesh Patel

    --------------

    I think these comments may also apply to SophosFirewallOS for site to site VPNs.

    So now just waiting on the Sophos Connect clients impact.

Reply
  • So I have a reply to case 06921669 (just UTM):

    -----------

    Hi Damien,

    here is the detailed analysis .

     

    For UTM Site-to-site VPN client, while it’s not affected by the LocalIP Attacks, the ServerIP Attach could be an issue. With existing UTM configuration options, however, it can be remedied entirely when this is a concern.

     

    LocalNet Attacks

    As UTM is connected with physical Ethernet connections, there is no way for an adversary to add/modify UTM's internal routes as TunnelCrack paper suggested. It is possible to wire UTM to a wireless point. In this case, even if an adversary may be able to trick clients on the WIFI connection, it's within the WIFI, which should be addressed there, but UTM's routes will still not be affected.

     

    ServerIP Attacks

    It is unlikely that a UTM environment could be disrupted with a direct connection to the site-to-site VPN server. If this is the case, the UTM network is already in trouble. However, if it is possible for an adversary to spoof the DNS response to the client side of a UTM with a different IP address for the server UTM's URL, then the issue could be observed. In this case, the client UTM will send tunnel traffic including connection requests to a bad IP address. The good news is that there are two options within UTM that can be used to remedy this problem by avoiding client UTM to reply on DNS for server UTM's IP address.

    1. On the server UTM side, add the server UTM’s IP in "Override hostname" option when creating a site-to-site SSL connection, as shown below. With this setting, the connection file downloaded for the client will contain the server UTM's IP address instead of its URL so that the client doesn't need to contact DNS for the record. (Note: this setting will affect both Remote Access and Site-to-site VPN connections).



    2. On the client UTM side, add a new Network Definition for the server UTM’s URL with server’s IP address. Now, the client UTM will use this to get the server's IP address instead of querying DNS.




    Thanks,
    Bhagyesh Patel

    --------------

    I think these comments may also apply to SophosFirewallOS for site to site VPNs.

    So now just waiting on the Sophos Connect clients impact.

Children
No Data