CVE-2024-3661

high

Description

DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.

References

https://securityaffairs.com/163036/breaking-news/security-affairs-newsletter-round-471-by-pierluigi-paganini-international-edition.html

https://www.scmagazine.com/news/tunnelvision-dhcp-flaw-lets-attackers-bypass-vpns-redirect-traffic

https://securityaffairs.com/162894/hacking/tunnelvision-attack-vpn.html

https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/

https://www.bleepingcomputer.com/news/security/new-tunnelvision-attack-leaks-vpn-traffic-using-rogue-dhcp-servers/

https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/?web_view=true

https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/?&web_view=true

https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/

https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability

https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009

https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/

https://www.leviathansecurity.com/research/tunnelvision

https://www.agwa.name/blog/post/hardening_openvpn_for_def_con

https://tunnelvisionbug.com/

https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661

https://security.paloaltonetworks.com/CVE-2024-3661

https://news.ycombinator.com/item?id=40284111

https://news.ycombinator.com/item?id=40279632

https://my.f5.com/manage/s/article/K000139553

https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision

https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic

https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/

https://issuetracker.google.com/issues/263721377

https://fortiguard.fortinet.com/psirt/FG-IR-24-170

https://datatracker.ietf.org/doc/html/rfc3442#section-7

https://datatracker.ietf.org/doc/html/rfc2131#section-7

https://bst.cisco.com/quickview/bug/CSCwk05814

https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/

Details

Source: Mitre, NVD

Published: 2024-05-06

Updated: 2024-07-01

Risk Information

CVSS v2

Base Score: 7.3

Vector: CVSS2#AV:A/AC:L/Au:N/C:C/I:P/A:P

Severity: High

CVSS v3

Base Score: 7.6

Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Severity: High