CVE-2023-36673 – This vulnerability in Avira Phantom VPN for mac... (How to Fix)

Q: What is the severity of CVE-2023-36673?

CVE-2023-36673 has a CVSS score of 7.3 (HIGH). This vulnerability in Avira Phantom VPN for macOS allows attackers to bypass VPN encryption and redirect traffic to arbitrary IP addresses in plaintext. It affects users of Avira Phantom VPN on macOS through version 2.23.1. The attack combines DNS spoofing with improper routing configuration to leak traffic outside the VPN tunnel.

📋 TL;DR

This vulnerability in Avira Phantom VPN for macOS allows attackers to bypass VPN encryption and redirect traffic to arbitrary IP addresses in plaintext. It affects users of Avira Phantom VPN on macOS through version 2.23.1. The attack combines DNS spoofing with improper routing configuration to leak traffic outside the VPN tunnel.

💻 Affected Systems

Products:

Avira Phantom VPN

Versions: through 2.23.1

Operating Systems: macOS

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability is in the VPN client's routing configuration and DNS handling. While specifically documented for Avira, the underlying attack pattern (ServerIP attack) may affect other VPN implementations.

📦 What is this software?

Phantom Vpn by Avira

View all CVEs affecting Phantom Vpn →

⚠️ Risk & Real-World Impact

🔴

Worst Case

All VPN-protected traffic is intercepted and redirected to attacker-controlled servers, exposing sensitive data like credentials, financial information, and private communications.

🟠

Likely Case

Targeted attacks against specific users to intercept their VPN traffic, potentially exposing login credentials and sensitive browsing activity.

🟢

If Mitigated

Limited exposure if using updated software, network monitoring detects unusual traffic patterns, and users avoid untrusted networks.

🌐 Internet-Facing: HIGH - Attack can be executed from any network position between client and VPN server, including public Wi-Fi networks.

🏢 Internal Only: MEDIUM - Requires attacker to be on the same network segment or have DNS poisoning capabilities within the internal network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires DNS spoofing capability and network access to intercept/modify traffic. The TunnelCrack research website provides technical details and demonstration of the attack pattern.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2.23.1

Vendor Advisory: https://www.avira.com/en/free-vpn

Restart Required: Yes

Instructions:

1. Open Avira Phantom VPN application. 2. Check for updates in settings/preferences. 3. Install any available updates. 4. Restart the VPN client. 5. Verify you're running a version newer than 2.23.1.

🔧 Temporary Workarounds

Use alternative VPN client

all

Switch to a different VPN provider that is not vulnerable to ServerIP attacks

Configure DNS manually

macOS

Use secure DNS servers (like Cloudflare 1.1.1.1 or Google 8.8.8.8) and disable automatic DNS configuration

sudo networksetup -setdnsservers Wi-Fi 1.1.1.1 1.0.0.1

🧯 If You Can't Patch

Discontinue use of Avira Phantom VPN on macOS until patched
Use only on trusted networks and avoid public Wi-Fi while VPN is active

🔍 How to Verify

Check if Vulnerable:

Check Avira Phantom VPN version in application settings. If version is 2.23.1 or earlier, you are vulnerable.

Check Version:

Open Avira Phantom VPN → Settings/Preferences → About or check application version in macOS Applications folder

Verify Fix Applied:

Verify version is newer than 2.23.1. Test VPN connection and verify all traffic is routed through VPN tunnel using tools like Wireshark or tcpdump.

📡 Detection & Monitoring

Log Indicators:

Unusual DNS queries for VPN server domains
VPN client connection failures followed by plaintext connections

Network Indicators:

Traffic to VPN server IP outside encrypted tunnel
DNS responses with unusual TTL values for VPN domains
Plaintext traffic to IP addresses that should be tunneled

SIEM Query:

source="vpn_client.log" AND ("connection reset" OR "dns failure") OR dest_ip="vpn_server_ip" AND NOT protocol="ESP" AND NOT protocol="IKE"

📊 Metadata

CVE ID: CVE-2023-36673

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE: CWE-319

Published: August 9, 2023

Last Updated: November 21, 2024

🔗 References

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0015
https://tunnelcrack.mathyvanhoef.com/details.html Exploit,Third Party Advisory
https://www.avira.com/en/free-vpn Product
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0015
https://tunnelcrack.mathyvanhoef.com/details.html Exploit,Third Party Advisory
https://www.avira.com/en/free-vpn Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36673, you might also want to check these: