Insecure Traffic Configuration in Avira Phantom VPN for macOS
CVE-2023-36673

7.3HIGH

Key Information:

Vendor: Avira
Status: Phantom Vpn
Vendor: CVE Published:; 9 August 2023

What is CVE-2023-36673?

An issue in Avira Phantom VPN versions up to 2.23.1 for macOS allows improper configuration resulting in unsecured transmission of IP traffic to the VPN server's address. This leakage occurs even for traffic not initiated by the VPN client and is compounded by the use of plaintext DNS for server address resolution. Consequently, attackers can deceive users into sending sensitive data to arbitrary IP addresses outside the security of the VPN tunnel, transforming this configuration flaw into a potential avenue for exploitation.

References

https://www.avira.com/en/free-vpn

https://tunnelcrack.mathyvanhoef.com/details.html

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-202...

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Aug 9, 2023
Vulnerability Reserved
Jun 26, 2023