CVE-2023-36671 Overview
CVE-2023-36671 is a cleartext transmission vulnerability (CWE-319) affecting the Clario VPN client for macOS through version 5.9.1.1662. The vulnerability exists because the VPN client insecurely configures the operating system such that all IP traffic destined for the VPN server's IP address is sent in plaintext outside of the encrypted VPN tunnel, even when this traffic is not generated by the VPN client itself. This design flaw enables an adversary to trick victims into sending plaintext traffic to the VPN server's IP address, potentially deanonymizing users who rely on VPN services for privacy protection.
This vulnerability is part of a broader class of attacks known as "TunnelCrack" that affect numerous VPN implementations. The TunnelCrack Project Analysis uses this CVE ID to refer more generally to "ServerIP attack for only traffic to the real IP address of the VPN server."
Critical Impact
Attackers on the same network can deanonymize VPN users by forcing plaintext traffic to the VPN server's IP address, compromising user privacy and potentially exposing sensitive communications.
Affected Products
- Clario VPN for macOS through version 5.9.1.1662
- VPN clients with similar ServerIP attack vulnerabilities (per TunnelCrack research)
- SonicWall products (see SonicWall Vulnerability Detail SNWLID-2023-0015)
Discovery Timeline
- August 9, 2023 - CVE-2023-36671 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2023-36671
Vulnerability Analysis
This vulnerability stems from improper routing configuration in the Clario VPN client. When a VPN connection is established, the client should configure the operating system's routing table to ensure all traffic passes through the encrypted tunnel. However, the Clario VPN client creates an exception for traffic destined to the VPN server's own IP address, allowing this traffic to bypass the tunnel entirely.
The impact is significant for users who depend on VPN services for anonymity and privacy protection. An attacker positioned on the same local network (such as a malicious Wi-Fi hotspot operator or a compromised router) can exploit this flaw to observe and potentially modify traffic that the victim assumes is protected by the VPN.
Root Cause
The root cause is classified as CWE-319 (Cleartext Transmission of Sensitive Information). The VPN client fails to properly enforce that all user traffic, regardless of destination, should be routed through the encrypted VPN tunnel. By excluding the VPN server's IP address from tunnel routing rules, the client creates a traffic leak that can be exploited for deanonymization attacks.
This is a fundamental design flaw in how the VPN client configures macOS network routing. Proper VPN implementations should ensure that only the minimal traffic necessary for establishing and maintaining the VPN connection itself bypasses the tunnel, while all other traffic—even to the VPN server's public IP—should remain protected.
Attack Vector
The attack requires local network access, making it exploitable in scenarios where the attacker controls or has compromised the network infrastructure. The attack flow typically involves:
- The attacker positions themselves on the same network as the victim (e.g., public Wi-Fi, corporate LAN, or compromised home router)
- The attacker induces the victim's system to generate traffic destined for the VPN server's IP address
- Due to the misconfigured routing, this traffic is sent in plaintext outside the VPN tunnel
- The attacker captures and analyzes this plaintext traffic to deanonymize the victim or extract sensitive information
This attack is particularly effective because users have a reasonable expectation that all their traffic is protected while connected to a VPN. The attack requires user interaction (the victim must be tricked into generating traffic to the VPN server's IP) and exploits the trust relationship between users and their VPN service.
Detection Methods for CVE-2023-36671
Indicators of Compromise
- Unexpected plaintext traffic destined for known VPN server IP addresses
- Network routing table configurations that exclude VPN server IPs from tunnel routes
- DNS queries or HTTP requests to VPN server IP addresses originating outside the VPN tunnel
- Unusual network activity patterns when connected to untrusted networks
Detection Strategies
- Monitor network traffic for cleartext communications to VPN server endpoints
- Implement host-based monitoring to audit routing table configurations when VPN connections are established
- Use network analysis tools to verify that traffic is properly encapsulated within VPN tunnels
- Deploy endpoint detection solutions capable of identifying VPN traffic leaks
Monitoring Recommendations
- Enable detailed logging of network routing changes on macOS endpoints
- Configure network monitoring to alert on plaintext traffic to known VPN provider IP ranges
- Implement regular security assessments of VPN client configurations
- Monitor for signs of network-based attacks such as ARP spoofing or rogue DHCP servers that could facilitate exploitation
How to Mitigate CVE-2023-36671
Immediate Actions Required
- Update Clario VPN client to the latest available version that addresses this vulnerability
- Avoid using untrusted networks (public Wi-Fi) until the VPN client is updated
- Consider using alternative VPN solutions that have been verified against TunnelCrack attacks
- Enable additional network security measures such as firewall rules to prevent traffic leaks
Patch Information
Users should visit the Clario VPN for Mac Overview page to obtain the latest version of the VPN client. The TunnelCrack research team has coordinated disclosure with multiple VPN vendors, and patches addressing this class of vulnerability may be available. Users of SonicWall products should consult SonicWall Vulnerability Detail SNWLID-2023-0015 for vendor-specific guidance.
Workarounds
- Use a firewall to block all outbound traffic not routed through the VPN interface when connected to untrusted networks
- Manually verify routing table configurations after establishing VPN connections to ensure no traffic leaks exist
- Consider implementing application-level VPN configurations where possible to ensure traffic is properly routed
- Use additional privacy tools such as Tor in conjunction with VPN for sensitive activities until the vulnerability is patched
# Verify routing table configuration on macOS
# Check if VPN server IP has a route outside the tunnel
netstat -rn | grep -E "^(default|[0-9]+\.)"
# Inspect active network interfaces and their configurations
ifconfig -a
# Monitor for traffic bypassing the VPN tunnel (requires tcpdump)
# Replace en0 with your physical network interface
sudo tcpdump -i en0 host YOUR_VPN_SERVER_IP -n
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
