Christina Pöpper

**Name of the Vulnerable Software and Affected Versions** Avira Phantom VPN versions through 2.23.1 **Description** An issue was discovered in Avira Phantom VPN where the VPN client insecurely configures the operating system, sending all IP traffic to the VPN server's IP address in plaintext outside the VPN tunnel. This occurs even if the traffic is not generated by the VPN client, and simultaneously uses plaintext DNS to look up the VPN server's IP address. This allows an adversary to trick the victim into sending traffic to arbitrary IP addresses in plaintext outside the VPN tunnel. **Recommendations** For Avira Phantom VPN versions through 2.23.1, update to a version later than 2.23.1 to resolve the issue. As a temporary workaround, consider restricting access to the VPN server's IP address to minimize the risk of exploitation. Avoid using plaintext DNS to look up the VPN server's IP address until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Clario VPN client versions 5.9.1.1662 and earlier **Description** The issue concerns the insecure configuration of the operating system by the Clario VPN client, which results in traffic to the local network being sent in plaintext outside the VPN tunnel, even when the local network uses a non-RFC1918 IP subnet. This allows an adversary to trick the victim into sending arbitrary IP traffic in plaintext outside the VPN tunnel. The problem is related to the lack of protection for transmitted data. **Recommendations** For Clario VPN client versions 5.9.1.1662 and earlier, update to a version that fixes the insecure configuration issue to prevent traffic from being sent in plaintext outside the VPN tunnel. As a temporary workaround, consider restricting access to the local network to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Clario VPN client versions 5.9.1.1662 and earlier **Description** The issue is related to the insecure configuration of the operating system by the Clario VPN client, which allows all IP traffic to the VPN server's IP address to be sent in plaintext outside the VPN tunnel. This can be exploited by an adversary to trick the victim into sending plaintext traffic to the VPN server's IP address, thereby deanonymizing the victim. The vulnerability is also referred to as the "ServerIP attack" for traffic to the real IP address of the VPN server. **Recommendations** For Clario VPN client versions 5.9.1.1662 and earlier, consider disabling the VPN client until a patch is available to prevent exploitation of the vulnerability. Restrict access to the VPN server's IP address to minimize the risk of deanonymization. Avoid sending sensitive traffic to the VPN server's IP address until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions WireGuard client version 0.5.3 Description The WireGuard client version 0.5.3 on Windows has an insecure configuration of the operating system and firewall. This configuration can block traffic to a local network using non-RFC1918 IP addresses. An attacker can exploit this to trick a user into blocking IP traffic to specific IP addresses and services, even while the VPN is active. This issue can result in disruption of access to network resources. Recommendations Update to a newer version of the WireGuard client that addresses this firewall configuration issue.