CVE-2023-36672Cleartext Transmission of Sensitive Info in VPN

CWE-319Cleartext Transmission of Sensitive InfoCWE-201Sensitive Info Insertion into Sent DataCWE-829Inclusion of Functionality from Untrusted Control Sphere6 documents6 sources
Severity
5.7MEDIUMNVD
EPSS
0.0%
top 90.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Clario VPNPaloalto GlobalprotectPaloalto Pan-os+1 more
Timeline
PublishedAug 9
Latest updateAug 17

Description

An issue was discovered in the Clario VPN client through 5.9.1.1662 for macOS. The VPN client insecurely configures the operating system such that traffic to the local network is sent in plaintext outside the VPN tunnel even if the local network is using a non-RFC1918 IP subnet. This allows an adversary to trick the victim into sending arbitrary IP traffic in plaintext outside the VPN tunnel. NOTE: the tunnelcrack.mathyvanhoef.com website uses this CVE ID to refer more generally to "LocalNet att

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.1 | Impact: 3.6

Affected Packages4 packages

NVDclario/vpn5.9.1.1662
Palo Altopaloalto/pan-os

🔴Vulnerability Details

3
GHSA
GHSA-43fw-xm94-j3mx: An issue was discovered in the Clario VPN client through 52023-08-10
OSV
CVE-2023-36672: An issue was discovered in the Clario VPN client through 52023-08-09
CVEList
CVE-2023-36672: An issue was discovered in the Clario VPN client through 52023-08-09

📋Vendor Advisories

2
Palo Alto
PAN-SA-2023-0004 Informational Bulletin: Impact of TunnelCrack Vulnerabilities (CVE-2023-36671, CVE-2023-36672, CVE-2023-35838, and CVE-2023-36673)2023-08-17
Cisco
Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing Tables Affecting Cisco AnyConnect Secure Mobility Client and Cisco Secure Client2023-08-08
CVE-2023-36672 — Clario VPN vulnerability | cvebase