CVE-2023-35838
Published: 9 August 2023
The WireGuard client 0.5.3 on Windows insecurely configures the operating system and firewall such that traffic to a local network that uses non-RFC1918 IP addresses is blocked. This allows an adversary to trick the victim into blocking IP traffic to selected IP addresses and services even while the VPN is enabled. NOTE: the tunnelcrack.mathyvanhoef.com website uses this CVE ID to refer more generally to "LocalNet attack resulting in the blocking of traffic" rather than to only WireGuard.
Notes
| Author | Note |
|---|---|
| mdeslaur | other VPN software may also be affected. See whitepaper for the complete list. |
| evancaville | as of 2024-02-05, there doesn't appear to be an upstream fix available for network-manager-openvpn, openvpn packages. as of 2024-02-29, there doesn't appear to be an upstream fix available for network-manager-pptp, pptp-linux. wireguard itself is not vulnerable, however the wg-quick tool includes local network access. See the wg-quick manpage and documentation on methods to disable this. |
| mdeslaur | as of 2024-04-15, this CVE appears to be specific to the WireGuard client on Windows, marking all Ubuntu packages as not-affected |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
connman Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
| focal |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| lunar |
Ignored
(end of life, was not-affected)
|
|
| mantic |
Not vulnerable
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Not vulnerable
|
|
|
gadmin-openvpn-client Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
| focal |
Not vulnerable
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Not vulnerable
|
|
|
gadmin-openvpn-server Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
| focal |
Not vulnerable
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Not vulnerable
|
|
|
golang-github-apparentlymart-go-openvpn-mgmt Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| lunar |
Ignored
(end of life, was not-affected)
|
|
| mantic |
Not vulnerable
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Does not exist
|
|
|
kvpnc Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Not vulnerable
|
|
|
l2tp-ipsec-vpn Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Does not exist
|
|
|
l2tp-ipsec-vpn-daemon Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Does not exist
|
|
|
libreswan Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
| focal |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| lunar |
Ignored
(end of life, was not-affected)
|
|
| mantic |
Not vulnerable
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Does not exist
|
|
|
mozillavpn Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Not vulnerable
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Does not exist
|
|
|
n2n Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
| focal |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| lunar |
Ignored
(end of life, was not-affected)
|
|
| mantic |
Not vulnerable
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Not vulnerable
|
|
|
network-manager-fortisslvpn Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
| focal |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| lunar |
Ignored
(end of life, was not-affected)
|
|
| mantic |
Not vulnerable
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Does not exist
|
|
|
network-manager-iodine Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
| focal |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| lunar |
Ignored
(end of life, was not-affected)
|
|
| mantic |
Not vulnerable
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Not vulnerable
|
|
|
network-manager-l2tp Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
| focal |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| lunar |
Ignored
(end of life, was not-affected)
|
|
| mantic |
Not vulnerable
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Does not exist
|
|
|
network-manager-openconnect Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
| focal |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| lunar |
Ignored
(end of life, was not-affected)
|
|
| mantic |
Not vulnerable
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Not vulnerable
|
|
|
network-manager-openvpn Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
| focal |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| lunar |
Ignored
(end of life, was not-affected)
|
|
| mantic |
Not vulnerable
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Not vulnerable
|
|
|
network-manager-pptp Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
| focal |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| lunar |
Ignored
(end of life, was not-affected)
|
|
| mantic |
Not vulnerable
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Not vulnerable
|
|
|
network-manager-sstp Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Not vulnerable
|
|
| lunar |
Ignored
(end of life, was not-affected)
|
|
| mantic |
Not vulnerable
|
|
| trusty |
Does not exist
|
|
| upstream |
Does not exist
|
|
| xenial |
Does not exist
|
|
|
network-manager-strongswan Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
| focal |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| lunar |
Ignored
(end of life, was not-affected)
|
|
| mantic |
Not vulnerable
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Not vulnerable
|
|
|
network-manager-vpnc Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
| focal |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| lunar |
Ignored
(end of life, was not-affected)
|
|
| mantic |
Not vulnerable
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Not vulnerable
|
|
|
openconnect Launchpad, Ubuntu, Debian |
bionic |
Needed
|
| focal |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| lunar |
Ignored
(end of life, was not-affected)
|
|
| mantic |
Not vulnerable
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Needed
|
|
|
openfortivpn Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
| focal |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| lunar |
Ignored
(end of life, was not-affected)
|
|
| mantic |
Not vulnerable
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Does not exist
|
|
|
openvpn Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
| focal |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| lunar |
Ignored
(end of life, was not-affected)
|
|
| mantic |
Not vulnerable
|
|
| trusty |
Not vulnerable
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Not vulnerable
|
|
|
pptp-linux Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
| focal |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| lunar |
Ignored
(end of life, was not-affected)
|
|
| mantic |
Not vulnerable
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Not vulnerable
|
|
|
quicktun Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
| focal |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| lunar |
Ignored
(end of life, was not-affected)
|
|
| mantic |
Not vulnerable
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Does not exist
|
|
|
riseup-vpn Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Ignored
(end of life, was not-affected)
|
|
| mantic |
Not vulnerable
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Does not exist
|
|
|
softether-vpn Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Needed
|
|
| lunar |
Ignored
(end of life, was needed)
|
|
| mantic |
Needed
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Does not exist
|
|
|
Patches: upstream: https://github.com/SoftEtherVPN/SoftEtherVPN_Stable/commit/556bc0afe2333b7f2ea8f6f91fce90e53605b992 |
||
|
sshuttle Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
| focal |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| lunar |
Ignored
(end of life, was not-affected)
|
|
| mantic |
Not vulnerable
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Not vulnerable
|
|
|
tinc Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
| focal |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| lunar |
Ignored
(end of life, was not-affected)
|
|
| mantic |
Not vulnerable
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Not vulnerable
|
|
|
vpnc Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
| focal |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| lunar |
Ignored
(end of life, was not-affected)
|
|
| mantic |
Not vulnerable
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Not vulnerable
|
|
|
wireguard Launchpad, Ubuntu, Debian |
bionic |
Ignored
(see notes)
|
| focal |
Ignored
(see notes)
|
|
| jammy |
Ignored
(see notes)
|
|
| lunar |
Ignored
(end of life, was not-affected)
|
|
| mantic |
Ignored
(see notes)
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Ignored
(see notes)
|
|
|
zentyal-openvpn Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Does not exist
|
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.7 |
| Attack vector | Adjacent |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
References
- https://tunnelcrack.mathyvanhoef.com/details.html
- https://papers.mathyvanhoef.com/usenix2023-tunnelcrack.pdf
- https://openvpn.net/security-advisory/statement-regarding-tunnelcrack-vulnerabilities/
- https://www.softether.org/9-about/News/905-TunnelCrack
- https://www.cve.org/CVERecord?id=CVE-2023-35838
- NVD
- Launchpad
- Debian