CVE-2024-3661 Vulnerability Exploited in TunnelVision Attack
Researchers have described a technique called TunnelVision, which allows threat actors to monitor network traffic of victims by leveraging the same local network. This bypass method, referred to as "decloaking," has been given the identifier CVE-2024-3661 and impacts operating systems that utilize a DHCP client and support DHCP option 121 routes.
Fundamentally, TunnelVision involves directing unencrypted traffic through a VPN by using an attacker-manipulated DHCP server to configure a route on the VPN user's routing table using DHCP option 121. This method exploits the DHCP protocol's lack of authentication for these option messages.
DHCP, a client/server protocol, assigns IP addresses and configuration details like subnet masks and gateways to devices joining a network. It manages IP address leasing, reclaiming unused addresses for reallocation.
TunnelVision Allows for DHCP Tampering
The vulnerability allows attackers to manipulate routes via DHCP messages, redirecting VPN traffic to potentially read, disrupt, or alter network data that should be protected by the VPN. This approach is independent of specific VPN technologies or providers.
The TunnelVision attack deceives VPN users into believing their connections are secure and encrypted, while traffic is redirected to the attacker's server for potential inspection. Successful exploitation requires the victim's DHCP client to implement DHCP option 121 and accept a lease from the attacker's server.
This attack resembles TunnelCrack, which leaks traffic from a VPN tunnel when connected to untrusted networks, facilitating adversary-in-the-middle (AitM) attacks. Notably, major operating systems like Windows, Linux, macOS, and iOS are affected, excluding Android due to lack of support for DHCP option 121. VPN tools relying solely on routing rules are also vulnerable.
Security researchers describe TunnelVision as a DHCP starvation attack creating a side-channel to bypass VPN encapsulation and reroute traffic outside the VPN tunnel.