GlobalProtect-openconnect icon indicating copy to clipboard operation
GlobalProtect-openconnect copied to clipboard
verified publisher icon yuezk

Easy to exploit host traffic redirection vulnerability

Open koraa opened this issue 4 years ago • 4 comments

Joining a VPN does not require administrator access; a malicious party hosting any openconnect server can redirect the host's network traffic over via their own server.

This vulnerability is executed by…simply logging into their own server.

The same preconditions apply as to #113. Note that hosting a global protect server is not necessary, if commands are sent directly to the DBUS service. In this case, hosting any openconnect supported VPN server will suffice.

Proposed Fix

See #113 as both vulnerabilities have the same fix.

koraa avatar Dec 21 '21 13:12 koraa

CVE: https://nvd.nist.gov/vuln/detail/CVE-2021-45810

koraa avatar Apr 22 '22 16:04 koraa

Is this fixed, given #113 was fixed, or the same fix for #113 needs to be implemented in this context? @koraa ?

arderyp avatar Aug 11 '23 21:08 arderyp

@arderyp Can a user now set up a VPN without using sudo or gaining a root password another way?

koraa avatar Aug 13 '23 10:08 koraa

This vulnerability has been addressed in the 2.x release. Reasons are:

  1. The CLI version requires sudo to connect to the portal.
  2. The background service has been rewritten in 2.x, and it no longer depends on DBus.
  3. The background service will generate a security key each time it starts, then launch the GUI client and pass the security key to the GUI client via stdin (so that no one can sniff the security key).
  4. The GUI client and the background service communicate via WebSocket and all the payloads between them are encrypted using the security key. The encryption algorithm is ChaCha20-Poly1305.
  5. No one knows the security key other than the background service and the GUI client.

yuezk avatar Jan 29 '24 05:01 yuezk