A newly identified network vulnerability, dubbed TunnelVision (CVE-2024-3661), enables attackers to bypass VPN encapsulation using DHCP, resulting in complete VPN traffic leaks without tripping VPN kill switches.
This vulnerability was uncovered by researchers Lizzie Moratti and Dani Cronce of Leviathan Security Group, who have extensively explored this issue and attempted to alert as many affected entities as possible before hackers and malicious actors take advantage.
TunnelVision discovery and mechanism
TunnelVision exploits a built-in feature of DHCP (Dynamic Host Configuration Protocol) to decloak or expose the routing-based VPNs, thereby sending user data outside the encrypted VPN tunnel. This is achieved by manipulating DHCP option 121 to force traffic off the VPN, allowing attackers to snoop on traffic that appears to still be secured. Notably, this technique could have been viable since 2002 and might already have been exploited in the wild.
The researchers have spent considerable time studying this vulnerability and notifying affected parties, including VPN providers, operating system maintainers, and individual VPN users. Despite their efforts, the complexity and widespread nature of the issue render individual notifications impractical, leading to the decision for a public disclosure.
The attack involves setting up a rogue DHCP server that assigns malicious routing instructions to users' devices. When these devices renew their DHCP lease, they receive routing instructions prioritizing the malicious server over the VPN tunnel, thereby leaking unencrypted traffic to the attacker.
Impact and mitigation
The impact of TunnelVision is profound as it affects all major operating systems that adhere to the DHCP RFC specifications and support option 121. The researchers have seen mitigations from some VPN providers but noted that typical firewall rules and packet inspections might not be sufficient to prevent this type of attack.
One mitigation technique observed involves using network namespaces on Linux-based systems to isolate network interfaces and routing tables from the local network's control. This method effectively contains the VPN traffic within a secure environment, separated from potentially compromised network settings.
For users, the recommended defenses include:
- Being cautious on untrusted networks.
- Using VPNs that have robust mitigations against such attacks.
- Considering the use of technologies like network namespaces if available.
System administrators are advised to ensure network devices have DHCP snooping and ARP protections to prevent rogue DHCP server setups.
New WordPress Attack Wave Puts Over 90,000 Websites at the Crosshair
Leave a Reply