CVE-2023-36672 in AnyConnect Secure Mobility Clientinfo

Summary

by MITRE • 08/10/2023

An issue was discovered in the Clario VPN client through 5.9.1.1662 for macOS. The VPN client insecurely configures the operating system such that traffic to the local network is sent in plaintext outside the VPN tunnel even if the local network is using a non-RFC1918 IP subnet. This allows an adversary to trick the victim into sending arbitrary IP traffic in plaintext outside the VPN tunnel. NOTE: the tunnelcrack.mathyvanhoef.com website uses this CVE ID to refer more generally to "LocalNet attack resulting in leakage of traffic in plaintext" rather than to only Clario.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 01/14/2026

The vulnerability identified as CVE-2023-36672 represents a critical network security flaw in the Clario VPN client version 5.9.1.1662 for macOS operating systems. This issue manifests as an insecure configuration of the operating system's routing tables that fails to properly isolate local network traffic within the VPN tunnel. The flaw specifically affects scenarios where local networks utilize non-RFC1918 IP subnets, which are typically private address ranges such as 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/24. When these non-standard subnet configurations are present, the VPN client incorrectly routes traffic destined for local network addresses outside the encrypted tunnel, exposing it to potential interception and manipulation.

The technical implementation of this vulnerability stems from improper handling of routing table modifications during VPN establishment. The Clario client fails to correctly configure the system's network routing policies to ensure that all local network traffic remains within the encrypted VPN tunnel. This misconfiguration allows traffic to bypass the VPN encryption and traverse the network in plaintext, creating an attack surface that adversaries can exploit. The vulnerability specifically targets the macOS operating system's network stack behavior when processing routing decisions for local network addresses, particularly those outside the standard RFC1918 ranges that are typically considered safe from external interference.

The operational impact of CVE-2023-36672 extends beyond simple data exposure to encompass potential man-in-the-middle attacks and network reconnaissance activities. An attacker positioned within the local network or capable of influencing network traffic can leverage this vulnerability to intercept and manipulate communications that should remain protected within the VPN tunnel. The attack vector typically involves social engineering tactics to convince victims to connect to networks where the vulnerable VPN client is installed, followed by network traffic interception that reveals sensitive information such as credentials, personal data, or business communications. This vulnerability undermines the fundamental security promise of VPN usage, particularly in enterprise environments where network isolation is critical for maintaining security boundaries.

The broader implications of this vulnerability align with the ATT&CK framework's tactics related to network infiltration and credential access, specifically mapping to techniques such as "Network Sniffing" and "Phishing for Credentials." The vulnerability also corresponds to CWE-284, which addresses improper access control in network configurations, and CWE-310, which covers cryptographic issues in network communications. Organizations using Clario VPN client should implement immediate mitigations including updating to patched versions, implementing network segmentation controls, and monitoring for unusual traffic patterns that might indicate exploitation attempts. Additionally, network administrators should consider implementing additional layers of protection such as firewall rules that restrict traffic flow between VPN clients and local networks, and conducting regular security assessments to identify similar vulnerabilities in other VPN implementations that might present similar risks to network traffic isolation. The vulnerability demonstrates the critical importance of proper network configuration management and the potential for seemingly minor implementation flaws to create significant security exposures in enterprise environments.

Reservation

06/26/2023

Disclosure

08/10/2023

Moderation

accepted

CPE

ready

EPSS

0.00681

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!