Sophos Security Advisory
On August 8, 2023, the security researcher Mathy Vanhoef presented several security issues affecting VPN clients under the name “TunnelCrack”. As outlined in Vanhoef’s advisory, “TunnelCrack” is comprised of four vulnerabilities:
These issues enumerate various ways that an adversary, with direct control over a network infrastructure, could manipulate VPN clients into sending traffic outside the protected VPN tunnel, e.g., via rogue access points or other untrusted networks. Encrypted traffic, such as HTTPS, remains secure and cannot be decrypted, even if an adversary manipulates the routing.
If a VPN client is configured to allow local network traffic, it is possible to create an environment where remote hosts appear to be reachable on the local network. In the “LocalNet” variant of TunnelCrack, traffic is sent directly instead of through the VPN tunnel.
An update of Sophos Connect Client is not required as the risk of exploitation is very low and easily mitigated.
LocalNet attack – ensure TLS is used on all services reachable via VPN
ServerIP attack – ensure the “Override hostname” value in the SSL VPN Settings is empty. The default value for this setting is empty.