CVE-2023-36673 in AnyConnect Secure Mobility Clientinfo

Summary

by MITRE • 08/10/2023

An issue was discovered in Avira Phantom VPN through 2.23.1 for macOS. The VPN client insecurely configures the operating system such that all IP traffic to the VPN server's IP address is sent in plaintext outside the VPN tunnel, even if this traffic is not generated by the VPN client, while simultaneously using plaintext DNS to look up the VPN server's IP address. This allows an adversary to trick the victim into sending traffic to arbitrary IP addresses in plaintext outside the VPN tunnel. NOTE: the tunnelcrack.mathyvanhoef.com website uses this CVE ID to refer more generally to "ServerIP attack, combined with DNS spoofing, that can leak traffic to an arbitrary IP address" rather than to only Avira Phantom VPN.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 01/14/2026

This vulnerability represents a critical network tunneling flaw that affects Avira Phantom VPN version 2.23.1 and earlier on macOS systems. The issue stems from an insecure configuration mechanism where the VPN client improperly modifies system routing tables, creating a persistent vulnerability that allows all IP traffic destined for the VPN server's IP address to bypass the encrypted tunnel and flow in plaintext over the underlying network connection. This misconfiguration occurs regardless of the traffic source, meaning that any application or process generating network requests to the VPN server's IP address will have that traffic exposed to potential interception and manipulation. The vulnerability is particularly concerning because it operates at the operating system level, affecting the fundamental routing behavior of the device rather than merely impacting the VPN application itself.

The technical implementation of this flaw involves a combination of routing table manipulation and DNS resolution practices that create a persistent attack vector. When the VPN client establishes a connection, it modifies the system's IP routing configuration in a manner that specifically excludes the VPN server's IP address from the encrypted tunnel, while simultaneously relying on plaintext DNS queries to resolve the server's address. This dual vulnerability creates a window where an attacker can exploit the DNS resolution process to redirect traffic to malicious IP addresses, effectively bypassing the VPN's intended security protections. The attack scenario becomes particularly dangerous when combined with DNS spoofing capabilities, as demonstrated by the tunnelcrack.mathyvanhoof.com website which illustrates how this vulnerability can be leveraged to redirect traffic to arbitrary destinations outside the VPN tunnel.

The operational impact of this vulnerability extends far beyond simple traffic leakage, creating a comprehensive attack surface that can be exploited by adversaries with network access or DNS manipulation capabilities. An attacker who can perform DNS spoofing or man-in-the-middle attacks can redirect the victim's traffic to malicious servers while the victim believes they are securely connected to their intended VPN endpoint. This creates a situation where legitimate VPN users may unknowingly transmit sensitive data, including credentials, personal information, and business data, to attacker-controlled servers without realizing their communications are exposed. The vulnerability affects all applications and services running on the compromised system, not just those explicitly initiated by the VPN client, making it particularly dangerous for users who rely on VPN protection for sensitive activities such as banking, email communication, or accessing corporate networks.

From a cybersecurity perspective, this vulnerability aligns with several established threat frameworks and attack patterns. The flaw demonstrates characteristics consistent with attack techniques described in the ATT&CK framework under network traffic capture and credential access categories, specifically targeting the integrity and confidentiality of network communications. The vulnerability also relates to CWE-284, which addresses improper access control in network configurations, and CWE-310, which covers cryptographic issues related to plaintext communication. Organizations and individuals using affected versions of Avira Phantom VPN face significant risk of data exposure, potential credential theft, and unauthorized access to sensitive information. The persistent nature of the routing table modification means that the vulnerability remains active even after the VPN client is closed, creating a long-term security risk that requires system-level intervention to resolve properly. Mitigation efforts must include immediate patching of the VPN client software, manual inspection and correction of routing table configurations, and implementation of network monitoring to detect anomalous traffic patterns that may indicate exploitation attempts.

Reservation

06/26/2023

Disclosure

08/10/2023

Moderation

accepted

CPE

ready

EPSS

0.00622

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!