CVE-2023-36673 - Cracking Avira Phantom VPN’s “ServerIP” - How Plaintext Traffic Leaks Can Betray You

Virtual Private Networks (VPNs) are supposed to keep your network traffic safe from snoopers and attackers. But a bug in Avira Phantom VPN for macOS (through version 2.23.1) can blow a hole right through that promise — letting your traffic escape the secure “tunnel” in plain sight, where any attacker could capture or redirect it.

Let’s break down CVE-2023-36673, how it works, and how attackers can exploit it. We'll look at concrete code snippets, explain the technical side in plain English, and give you all the references you’ll need.

What is CVE-2023-36673?

This vulnerability is found in Avira Phantom VPN for macOS (up to version 2.23.1). In short, it happens because the VPN’s network settings are insecure:

- All network traffic TO the VPN server’s IP address gets sent outside of the VPN tunnel, in plaintext.
- DNS requests for the VPN server’s IP address are also sent outside the tunnel, without encryption.
- This hole lets attackers trick your device into sending traffic to any arbitrary IP address, outside the protection of the VPN.

Ready to see how dangerous this could be? Keep reading.

Technical Overview (Plain Language)

Avira Phantom VPN sets up a rule in your Mac’s network system: “Hey, if you’re sending data to our VPN server’s IP address, just go right out on the internet, don’t bother encrypting it through the VPN tunnel!”

Problem: This rule isn’t just for VPN traffic. If *any* other app or system service sends data to that same IP, it’ll go out unencrypted, too.

Even worse, DNS queries to find the VPN server’s address are sent “in the clear,” making it easier for an attacker to see who you’re connecting to.

Attacker tricks you into visiting a specially crafted website or unstable network.

2. They spoof the DNS so “secure.example.com” resolves to the VPN server’s IP (or an IP of their choosing).

The attacker now sees (and can sniff, manipulate, or record) your sensitive traffic.

This is called a “ServerIP attack combined with DNS spoofing.”

> NOTE: According to tunnelcrack.mathyvanhoef.com, this CVE ID is used for any VPN product with similar “ServerIP” flaws.

Step 1: Malicious DNS Spoofing

Suppose the VPN server’s IP is 123.45.67.89. An attacker can control your DNS (maybe on a public WiFi or by running a phishing site) and can respond with this IP for *any* domain name.

For example

# Malicious DNS server: resolve any name to VPN server IP
def handle_dns_query(query):
    # Always return VPN server's IP!
    return '123.45.67.89'

A malicious site can embed resources

<!-- This image or script tags points to a controlled domain -->
<img src="http://malicious.example.com/track.png">;

The attacker-controlled DNS resolves malicious.example.com to 123.45.67.89.

Step 3: MacOS Routing Fails

When your browser tries to connect, the OS sees the destination IP (123.45.67.89) matches a “bypass the VPN” rule set up by Avira Phantom VPN.

Code Snippet: OS Routing Table Manipulation

The bug is about how Avira Phantom VPN adds a *route* to your operating system. That route looks like this:

# In shell, you can view the routing table:
netstat -rn | grep <vpn server ip>

# Typical route added by VPN:
# Destination      Gateway            Flags
# 123.45.67.89    <local interface>   UGH

# Meaning: Any packet to 123.45.67.89 goes directly out, NOT through VPN.

This is *intended* for VPN client traffic, but the rule catches everything going to that IP.

Sensitive web requests: Session cookies, login info, forms sent to a spoofed domain.

- Software update requests: Example: a background service checks for updates at updates.example.com, attacker controls DNS and maps it to the VPN server’s IP.

Any app traffic that hits a “mutated” IP via DNS.

All this data is leaked in the clear, not encrypted by the VPN.

Real-World Demo and Exploit

The researchers behind TunnelCrack provide proof-of-concept demos and video walkthroughs.

*Watch their video to see it in action!*

- TunnelCrack Demos
- Technical Paper (PDF)
- Original Disclosure
- Official CVE Entry

Protect Yourself

Update now: Avira Phantom VPN has released updates after version 2.23.1 for macOS, which fix this flaw. Always update your VPN software!

Be wary on public WiFi: Until all VPNs correctly fix this, attackers on public or hostile networks could exploit this bug.

Check for DNS leaks: Services like dnsleaktest.com show if your DNS requests are escaping the VPN.

Conclusion

CVE-2023-36673 reveals how even trust in a VPN can be undermined by poor network configuration. If your VPN leaks any traffic outside the encrypted tunnel, attackers can spy on or manipulate your activity.

References and Further Reading

- TunnelCrack: Academic Paper & Demo
- Original CVE Description
- Avira Phantom VPN Security Advisory
- Report on VPN leaks


*Stay safe, stay updated—and never trust a VPN blindly!*

Timeline

Published on: 08/09/2023 23:15:10 UTC
Last modified on: 10/31/2023 09:15:08 UTC