CVE-2023-2754 – The Cloudflare WARP client for Windows incorrec... (How to Fix)

Q: What is the severity of CVE-2023-2754?

CVE-2023-2754 has a CVSS score of 7.4 (HIGH). The Cloudflare WARP client for Windows incorrectly assigns Unique Local IPv6 addresses instead of loopback addresses for DNS servers when connected over IPv6 networks. This allows attackers on the same local network to potentially intercept DNS queries, revealing browsing activity. Only Windows users running vulnerable WARP client versions on IPv6-capable networks are affected.

📋 TL;DR

The Cloudflare WARP client for Windows incorrectly assigns Unique Local IPv6 addresses instead of loopback addresses for DNS servers when connected over IPv6 networks. This allows attackers on the same local network to potentially intercept DNS queries, revealing browsing activity. Only Windows users running vulnerable WARP client versions on IPv6-capable networks are affected.

💻 Affected Systems

Products:

Cloudflare WARP Client for Windows

Versions: Versions prior to 2023.5.387.0

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects IPv6-capable networks. IPv4 connections use correct loopback addresses. Requires WARP to be enabled and connected.

📦 What is this software?

Warp by Cloudflare

View all CVEs affecting Warp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers on the same local network can monitor all DNS queries, potentially mapping user browsing habits, identifying visited services, and enabling targeted attacks based on observed activity.

🟠

Likely Case

Local network attackers can observe DNS queries, revealing which domains users are accessing, though not the specific content of encrypted connections.

🟢

If Mitigated

With proper patching, DNS queries remain local to the device via loopback addresses, preventing network-based interception.

🌐 Internet-Facing: LOW - This vulnerability requires local network access and does not expose systems directly to internet-based attacks.

🏢 Internal Only: MEDIUM - Attackers must be on the same local network, but corporate environments with multiple users on shared networks could see significant exposure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires local network access and ability to monitor network traffic. No authentication needed as DNS queries are sent to local network addresses.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2023.5.387.0 and later

Vendor Advisory: https://github.com/cloudflare/advisories/security/advisories/GHSA-mv6g-7577-vq4w

Restart Required: Yes

Instructions:

1. Open Cloudflare WARP client. 2. Click Settings (gear icon). 3. Click 'About' tab. 4. If version is below 2023.5.387.0, update through the client's update mechanism or download from official sources. 5. Restart the client after update.

🔧 Temporary Workarounds

Disable IPv6 on Network Adapter

windows

Prevents the vulnerability by forcing IPv4-only connections where WARP uses correct loopback addresses

netsh interface ipv6 set state "Ethernet" disabled
netsh interface ipv6 set state "Wi-Fi" disabled

Disable WARP Client

windows

Temporarily disable WARP protection until patched

Right-click WARP system tray icon → 'Disconnect'

🧯 If You Can't Patch

Use IPv4-only networks where possible to avoid the IPv6 vulnerability path
Implement network segmentation to limit local network exposure and reduce attack surface

🔍 How to Verify

Check if Vulnerable:

Check WARP client version in Settings → About. If below 2023.5.387.0 and connected via IPv6, check DNS server addresses with 'ipconfig /all' - look for non-loopback IPv6 addresses (not ::1) assigned as DNS servers.

Check Version:

Check WARP client UI: Settings → About tab

Verify Fix Applied:

After updating to 2023.5.387.0+, verify DNS servers show IPv6 loopback address ::1 when connected via IPv6 using 'ipconfig /all'.

📡 Detection & Monitoring

Log Indicators:

Unusual DNS query patterns to local network addresses
Failed DNS resolution attempts

Network Indicators:

DNS queries sent to Unique Local Addresses (ULA) instead of loopback addresses
IPv6 DNS traffic to non-loopback addresses on local network

SIEM Query:

source="network_dns" dest_ip=~"fd00::/8" AND process="warp-svc.exe"

📊 Metadata

CVE ID: CVE-2023-2754

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-319

Published: August 3, 2023

Last Updated: November 21, 2024

🔗 References

https://developers.cloudflare.com/warp-client/ Product
https://github.com/cloudflare/advisories/security/advisories/GHSA-mv6g-7577-vq4w Vendor Advisory
https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-windows-1/distribution_groups/release Release Notes
https://developers.cloudflare.com/warp-client/ Product
https://github.com/cloudflare/advisories/security/advisories/GHSA-mv6g-7577-vq4w Vendor Advisory
https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-windows-1/distribution_groups/release Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-2754, you might also want to check these: