CVE-2024-3661 Vulnerability Exploited in TunnelVision Attack

Researchers have described a technique called TunnelVision, which allows threat actors to monitor network traffic of victims by leveraging the same local network. This bypass method, referred to as "decloaking," has been given the identifier CVE-2024-3661 and impacts operating systems that utilize a DHCP client and support DHCP option 121 routes.

Fundamentally, TunnelVision involves directing unencrypted traffic through a VPN by using an attacker-manipulated DHCP server to configure a route on the VPN user's routing table using DHCP option 121. This method exploits the DHCP protocol's lack of authentication for these option messages.

DHCP, a client/server protocol, assigns IP addresses and configuration details like subnet masks and gateways to devices joining a network. It manages IP address leasing, reclaiming unused addresses for reallocation.

TunnelVision Allows for DHCP Tampering

The vulnerability allows attackers to manipulate routes via DHCP messages, redirecting VPN traffic to potentially read, disrupt, or alter network data that should be protected by the VPN. This approach is independent of specific VPN technologies or providers.

The TunnelVision attack deceives VPN users into believing their connections are secure and encrypted, while traffic is redirected to the attacker's server for potential inspection. Successful exploitation requires the victim's DHCP client to implement DHCP option 121 and accept a lease from the attacker's server.

This attack resembles TunnelCrack, which leaks traffic from a VPN tunnel when connected to untrusted networks, facilitating adversary-in-the-middle (AitM) attacks. Notably, major operating systems like Windows, Linux, macOS, and iOS are affected, excluding Android due to lack of support for DHCP option 121. VPN tools relying solely on routing rules are also vulnerable.

Security researchers describe TunnelVision as a DHCP starvation attack creating a side-channel to bypass VPN encapsulation and reroute traffic outside the VPN tunnel.

May 10, 2024
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.