CVE CyberSecurity Database News

CVE-2023-2754 - DNS Leak in Cloudflare WARP for Windows over IPv6 — Exclusive Vulnerability Explained

Poster -

Cloudflare WARP is a popular VPN-like client designed to make your internet browsing faster and safer. By acting as your device's DNS server, WARP helps route your DNS queries through its secure network, shielding your web activity from snooping eyes. But in 2023, security researchers found a critical problem in how the Windows edition of WARP handles DNS traffic over IPv6 networks. The assigned IPv6 DNS server could cause private DNS requests to accidentally leak out to other local devices — exposing your browsing activity.

Let’s break down this bug (assigned CVE-2023-2754), see how it works under the hood (with code samples!), and walk through possible exploit scenarios.

The Problem: Loopback vs. Unique Local Addresses

On Windows, the WARP client works by setting up a local DNS server on your machine. When you search for a website, WARP grabs the DNS request, encrypts it, and sends it securely to Cloudflare’s servers.

What WARP *Did* Instead (the Bug)

On IPv6, the WARP client assigned a Unique Local Address (ULA) in the range fd00::/8.  
ULAs are intended for local network traffic, but unlike loopback, any local device can potentially reach them.

This means:  
Your DNS queries — which should be private — might get sent over the local network, where other devices (or attackers) could see them.

Here's a simplified code snippet (mocked for easier reading) showing the problematic behavior

# Correct way (for localhost/loopback)
ipv6_loopback = "::1"  # Only this machine

# Buggy WARP behavior (incorrect):
wsl_ipv6_ula = "fdxx:xxxx:xxxx:xxxx::1"  # Unique Local Address

# Example in Windows network configuration (pseudo-code)
if is_ipv6_network():
    set_dns_server("fd12:3456:789a:1::1")  # ULA, visible on local network
else:
    set_dns_server("127..2.2")  # Proper local address

With this config, other devices in your home or office network could listen for DNS queries sent to that fdxx:... address and intercept them.

WARP assigns a ULA as the DNS server: fd12:3456:789a:1::1.

3. Victim’s device sends DNS queries to this address, but since ULAs are visible to local network devices, anyone nearby can also listen for and respond to those DNS queries.
4. Attacker sets up a fake DNS server on their computer, binds to fd12:3456:789a:1::1, and intercepts incoming DNS queries from the victim.
5. Attacker logs or manipulates DNS requests/responses, learning what sites the victim is visiting, or even redirecting them.

Example: Setting up a DNS listener in Python

import socket

# Bind to the ULA address and DNS port (53)
server = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
server.bind(('fd12:3456:789a:1::1', 53))

print("Listening for DNS queries on fd12:3456:789a:1::1:53")

while True:
    data, addr = server.recvfrom(1024)
    print(f"Received DNS packet from {addr}: {data.hex()}")

You could run this on another PC in the same local IPv6 network and start seeing DNS requests from the WARP-enabled victim.

More risky in places with many unknown devices, like libraries or coworking spaces.

Cloudflare fixed the bug in WARP clients after disclosure.  
Always make sure to run the latest version.

How to Check or Protect Yourself

1. Update WARP:  
If you use WARP for Windows, update to the latest version! (Cloudflare official client page)

2. Test Your DNS:

Open command prompt:

ipconfig /all
- Look for DNS servers. If you see IPv6 addresses starting with fd, that’s a ULA. Only ::1 is safe.

- CVE-2023-2754 entry (NVD)
- Cloudflare WARP download & release notes
- RedTeam Pentesting advisory
- IPv6 Unique Local Addresses explained (Cloudflare blog)

Conclusion

CVE-2023-2754 is a great lesson that a simple configuration choice — using a ULA instead of a loopback address — can have big security consequences, exposing supposedly private web traffic to anyone on your local network. Always keep your VPN/DNS software up to date and know how your privacy tools work under the hood.

If you want bulletproof DNS privacy, double-check your network settings — and remember, as in this case, details matter!


*This post is exclusive. Sharing knowledge, not DNS queries! Stay safe online.*

Timeline

Published on: 08/03/2023 15:15:00 UTC
Last modified on: 08/09/2023 21:04:00 UTC