Researchers have detailed a Digital Non-public Community (VPN) bypass method dubbed TunnelVision that enables risk actors to listen in on sufferer’s community site visitors by simply being on the identical native community.
The “decloaking” technique has been assigned the CVE identifier CVE-2024-3661 (CVSS rating: 7.6). It impacts all working methods that implement a DHCP shopper and has assist for DHCP choice 121 routes.
At its core, TunnelVision includes the routing of site visitors with out encryption by a VPN by the use of an attacker-configured DHCP server utilizing the classless static route choice 121 to set a route on the VPN person’s routing desk.
It additionally stems from the very fact the DHCP protocol, by design, doesn’t authenticate such choice messages, thus exposing them to manipulation.
DHCP is a shopper/server protocol that routinely supplies an Web Protocol (IP) host with its IP deal with and different associated configuration info such because the subnet masks and default gateway in order to entry the community and its assets.
It additionally helps reliably configure IP addresses by way of a server that maintains a pool of IP addresses and leases an deal with to any DHCP-enabled shopper when it begins up on the community.
As a result of these IP addresses are dynamic (i.e., leased) moderately than static (i.e., completely assigned), addresses which can be now not in use are routinely returned to the pool for reallocation.
The vulnerability, in a nutshell, makes it potential for an attacker with the flexibility to ship DHCP messages to govern routes to redirect VPN site visitors, thereby permitting them to learn, disrupt, or presumably modify community site visitors that was anticipated to be protected by the VPN.
“As a result of this method just isn’t depending on exploiting VPN applied sciences or underlying protocols, it really works fully independently of the VPN supplier or implementation,” Leviathan Safety Group researchers Dani Cronce and Lizzie Moratti stated.
“Our method is to run a DHCP server on the identical community as a focused VPN person and to additionally set our DHCP configuration to make use of itself as a gateway. When the site visitors hits our gateway, we use site visitors forwarding guidelines on the DHCP server to cross site visitors by to a professional gateway whereas we listen in on it.”
In different phrases, TunnelVision methods a VPN person into believing that their connections are secured and routed by an encrypted tunnel, when in actuality it has been redirected to the attacker’s server in order that it may be probably inspected.
Nevertheless, to be able to efficiently decloak the VPN site visitors, the focused host’s DHCP shopper should implement DHCP choice 121 and settle for a DHCP lease from the attacker-controlled server.
The assault can also be just like TunnelCrack, which is designed to leak site visitors exterior a protected VPN tunnel when connecting to an untrusted Wi-Fi community or a rogue ISP, leading to adversary-in-the-middle (AitM) assaults.
The issue impacts all main working methods like Home windows, Linux, macOS, and iOS aside from Android because it doesn’t have assist for DHCP choice 121. It additionally impacts VPN instruments that solely depend on routing guidelines to safe the host’s site visitors.
Mullvad has since confirmed that the desktop variations of its software program have firewall guidelines in place to dam any site visitors to public IPs exterior the VPN tunnel, however acknowledged that the iOS model is susceptible to TunnelVision.
Nevertheless, it is but to combine and ship a repair owing to the complexity of the enterprise, which the Swedish firm stated has been engaged on for “a while.”
“The TunnelVision vulnerability (CVE-2024-3661) exposes a technique for attackers to bypass VPN encapsulation and redirect site visitors exterior the VPN tunnel,” Zscaler researchers stated, describing it as a method that employs a DHCP hunger assault to create a side-channel.
“This system includes utilizing DHCP choice 121 to route site visitors with out encryption by a VPN, finally sending it to the web by way of a side-channel created by the attacker.”
To mitigate TunnelVision, organizations are advisable to implement DHCP snooping, ARP protections, and port safety on switches. It is also suggested to implement community namespaces on Linux to repair the conduct.
