Disclosures:
Professional Reviews

The reviews found on GuideHaven consist of evaluations conducted by community reviewers. These assessments take into account the reviewers’ unbiased and knowledgeable analysis of the products and services being reviewed.

Ownership

GuideHaven is a leading cybersecurity review website with a team of experts experienced in testing and evaluating VPNs, antiviruses, password managers, parental controls, and software tools. Our reviews are available in 29 languages, making them accessible to a broad audience since 2018. To further support our readers in their pursuit of online security, we’ve partnered with Kape Technologies PLC, which owns popular products like ExpressVPN, CyberGhost, ZenMate, Private Internet Access, and Intego, all of which may be reviewed on our website.

Affiliate Commissions

GuideHaven contains reviews that follow the strict reviewing standards, including ethical standards, that we have adopted. Such standards require that each review will take into consideration the independent, honest, and professional examination of the reviewer. That being said, we may earn a commission when a user completes an action using our links, at no additional cost to them. On listicle pages, we rank vendors based on a system that prioritizes the reviewer’s examination of each service, but also considers feedback received from our readers and our commercial agreements with providers.

Review Guidelines

The reviews published on GuideHaven are written by community reviewers that examine the products according to our strict reviewing standards. Such standards ensure that each review prioritizes the independent, professional, and honest examination of the reviewer, and takes into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings we publish may also take into consideration the affiliate commissions we earn for purchases through links on our website.

News Heading

TunnelCrack: New Security Vulnerabilities Deprives Users of VPN Protection

Shipra Sanganeria
Published by Shipra Sanganeria on August 14, 2024

A study carried out by researchers from New York University and KU Leuven revealed security and privacy vulnerabilities (dubbed TunnelCrack) in VPN clients. These vulnerabilities can be exploited in two attacks that can leak user traffic outside the encrypted tunnel.

The two resultant attacks, ‘LocalNet’ And ‘ServerIP,’ are a result of how VPN clients configure operating systems (OS) to route traffic through VPN tunnels. This is done by updating the system’s IP routing tables with some routing exceptions, like traffic to and from the local network and VPN server.

The research revealed that these routing exceptions can be exploited by using dubious WiFi access points or spoofed DNS responses, allowing selected traffic to bypass the encrypted tunnel. Moreover, the attacks are independent of any protocol used by the connection.

LocalNet attack, also deemed as CVE-2023-36672 requires an attacker to establish and trick a victim into connecting to the rogue WiFi access point. Generally, public hotspots that are a part of the local network and of interest to the target are utilized. Once connected, the target is assigned the said IP address and subnet.

As most VPNs allow direct access to the local network, when connected, this form of traffic transmission falls under the routing exception and bypasses the encrypting tunnels.

This form of attack can be mitigated by checking the option of disabling local traffic in VPN settings. Although, this would make all traffic pass through the VPN tunnel, it would restrict use of local networks like streaming videos to a TV, when connected to a VPN.

ServerIP attack, dubbed as CVE-2023-36673 manipulates the design flaw most commonly found in VPNs – non-encryption of traffic directed towards VPN servers. To deploy this attack, the adversary spoofs the DNS server that an interested victim connects to and redirects the victim’s network traffic to the adversary-controlled server. This allows the attacker to modify and control the unencrypted traffic.

This attack can be mitigated by setting up a secure DNS like, DNS over TLS or DNS over HTTPS, which will help improve network security. Moreover, VPN users should also check and install security updates as and when available.

The study involved 67 VPN products (free, paid, open-source, commercial, and built-in VPN clients) and different versions of Windows, Linux, iOS, macOS, and Android operating systems.

Did you like this article? Rate it!
 
 
 
 
 
I hated it I don’t really like it It was ok Pretty good! Loved it!
5.00 Voted by 1 users
Title
Comment
Thanks for your feedback