CVE-2024-3661

high

Description

DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.

References

https://securityaffairs.com/163036/breaking-news/security-affairs-newsletter-round-471-by-pierluigi-paganini-international-edition.html

https://www.scmagazine.com/news/tunnelvision-dhcp-flaw-lets-attackers-bypass-vpns-redirect-traffic

https://securityaffairs.com/162894/hacking/tunnelvision-attack-vpn.html

https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/

https://www.bleepingcomputer.com/news/security/new-tunnelvision-attack-leaks-vpn-traffic-using-rogue-dhcp-servers/

https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/?web_view=true

https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/?&web_view=true

https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/

https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability

https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/

https://www.leviathansecurity.com/research/tunnelvision

https://www.agwa.name/blog/post/hardening_openvpn_for_def_con

https://tunnelvisionbug.com/

https://news.ycombinator.com/item?id=40284111

https://news.ycombinator.com/item?id=40279632

https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision

https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic

https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/

https://issuetracker.google.com/issues/263721377

https://datatracker.ietf.org/doc/html/rfc3442#section-7

https://datatracker.ietf.org/doc/html/rfc2131#section-7

https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/

Details

Source: Mitre, NVD

Published: 2024-05-06

Updated: 2024-05-08

Risk Information

CVSS v2

Base Score: 2.9

Vector: CVSS2#AV:A/AC:M/Au:N/C:P/I:N/A:N

Severity: Low

CVSS v3

Base Score: 7.6

Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Severity: High