The TunnelVision attack allows traffic to be directed outside the VPN tunnel, giving attackers the ability to eavesdrop on unencrypted traffic while maintaining the appearance of a secure VPN connection.
The problem is described in detail in report Leviathan Security company, which comes with proof-of-concept exploit. The attack is based on the abuse of option 121 in DHCP, which allows you to configure classless static routes on the client system.
Advertisement
Thus, attackers set up their own DHCP server, which changes the routing tables so that all VPN traffic is sent directly to the local network or to a malicious gateway, without entering the encrypted VPN tunnel at all.
“Our method involves running a DHCP server on the same network as the target VPN user and setting the DHCP configuration to use itself as the gateway,” the researchers said. “When traffic hits our gateway, we use traffic forwarding rules on the DHCP server to forward the traffic to the legitimate gateway that we are monitoring.”
So, the crux of the problem lies in the lack of an authentication mechanism in DHCP for incoming messages that can affect routes. The vulnerability has been assigned an ID CVE-2024-3661.
Researchers note that the problem has been available for exploitation since at least 2002, but no cases of its active use by hackers have been identified.
Leviathan Security notified many manufacturers, as well as the US Cybersecurity and Infrastructure Security Agency (CISA) and the Electronic Frontier Foundation (EFF), about the problem.
Advertisement
The TunnelVision vulnerability affects Windows, Linux, macOS and iOS. Since Android does not support DHCP option 121, it is the only popular OS that is not susceptible to such attacks.
TunnelVision mainly poses a threat to users who have connected their device to a network that is already controlled or present by an attacker. Thus, possible attack scenarios include public Wi-Fi networks, for example, in cafes, hotels and airports.
At the same time, the VPN on the target device must be vulnerable to routing manipulations, which, according to experts, is important for most VPN clients that use system-level routing rules without leak protection. Additionally, the target device must have DHCP auto-configuration enabled for the malicious DHCP configuration to be applied when connecting to the network. However, this is also not uncommon.
Experts offer the following methods of protection against TunnelVision:
- Use network namespaces in Linux to isolate network interfaces and routing tables from the rest of the system to prevent unauthorized DHCP configurations from affecting VPN traffic.
- configure VPN clients to deny all incoming and outgoing traffic that does not use the VPN (exceptions should be limited to strictly necessary DHCP and VPN server connections);
- Configure the system to ignore DHCP option 121 when connecting to a VPN, which will help prevent malicious routing instructions from being applied, although this may lead to errors in certain configurations.
- connection through personal hotspots or virtual machines, which will help isolate DHCP from the main network interface of the host system;
- Avoid connecting to untrusted networks, as they are the main environment for such attacks.
It is also recommended that VPN providers modify their client software to implement their own DHCP handlers or implement additional security checks that will block the use of dangerous DHCP configurations.