Threats

Although HTTPS encrypts network traffic in-transit, it does not hide the client's intended destination. The IP address of every site visited is exposed in cleartext because the TCP/IP protocol stack is not encrypted. DNS requests are also fundamentally required for internet traffic and also which websites a client is visiting. 

Masking these privacy exposing protocols is one important reason for using  a VPN.  All HTTPS traffic is then encapsulated within a VPN protocol and routed through a single IP address.  An Adversary in the Middle (AitM) attacker could only essentially determine that you are using a VPN, and potentially, which VPN provider you are using. Another reason for using a VPN is to access systems within a private network from a remote location such as a work-from-home model. The fundamental goals of privacy and security mean that compromising a VPN connection 

In this article we will explore a recently disclosed attack against VPN security known as TunnelVision  and disclosed as CVE-2024-3661.

TunnelVision (CVE-2024-3661): Bypassing An Encrypted VPN Tunnel

The recent disclosure of a weakness in most VPN protocols has the potential to remove all these protections that a VPN offers, allowing network admin or ISP to see which internet servers a user is connecting to. Tracked as CVE-2024-3661, and referred to as TunnelVision by the researchers who discovered it, this article will delve into how the attack uses a DHCP feature known as option 121 to change the way a VPN client's network interface operates, routing traffic that should be filtered through a virtual network interface directly through the physical interface - bypassing the VPN tunnel and thereby exposing a victim to snooping.

Here's how the attack works:

• Exploitation of DHCP: The attacker leverages built-in features of DHCP, specifically manipulating how network configurations are assigned to the user's device. This can be done by controlling or spoofing DHCP responses that the device receives.

• Decloaking the VPN Tunnel: Through the manipulation of DHCP settings, the attacker forces the user’s network traffic to exit the secure VPN tunnel. This is often achieved by altering the routing table or other network settings of the user's device without disrupting the VPN connection itself.

• VPN Appears Active: Despite the rerouting of the traffic outside the VPN tunnel, the VPN's control channel remains intact. This means all VPN status indicators still show the user as securely connected, and features like automatic kill switches, which cut internet access if the VPN fails, are not triggered.

• Snooping the Unencrypted Traffic: Once the traffic is rerouted, it travels unencrypted over the internet, allowing the attacker to intercept and read the content of the packets, effectively compromising the user’s privacy and security.

What Is DHCP Option 121?

In the Dynamic Host Configuration Protocol (DHCP) RFC 3442 introduced option 121 known as the "Classless Static Route Option" and obsoleted option 33 which only allowed classful static routes. Option 121, allows a DHCP server to specify routes that are added to the client's routing table, guiding how packets are routed to specific network destinations through specified gateways.  In the case of TunnelVision, Option 121 is leveraged by an attacker to add routes to network clients that circumvent the virtual interface used by a VPN application. 

How Does The TunnelVision Attack Work?

The TunnelVision attack leverages control of the DHCP server on the same network as the targeted VPN user to manipulate routing tables and direct traffic through a maliciously configured unencrypted  gateway rather than using the intended encrypted virtual interface. A proof of concept has been published by Leviathan Security including a YouTube demonstration, a GitHub repository with a lab setup, and a DHCP Virtual Machine (VM) server image. However, TunnelVision does not affect all VPN implementations; WireGuard can use namespaces to bind a VPN's virtual network interface directly to a physical interface, which mitigates the impact of CVE-2024-3661.  

Here's a breakdown of the technical details of how this attack operates:

• DHCP Server Setup: The attacker runs a DHCP server on the network accessible to the VPN user. This server is configured to designate itself as the gateway for all outgoing traffic from the VPN user.

• Use of DHCP Option 121: Through DHCP option 121, the attacker sets specific routes in the VPN user's routing table. This option allows the attacker to define more specific routes than the default /0 CIDR range commonly used by VPNs. By doing so, the attacker ensures that these routes take precedence over those set by the VPN's virtual interface.

• Manipulating Traffic Routes: The attacker can insert multiple routes (such as multiple /1 routes) to mimic and override the general all-traffic rule (0.0.0.0/0) set by the VPN. This forces the user's traffic to reroute through the physical network interface instead of the VPN's virtual interface.

• Traffic Forwarding and Snooping: Once the traffic is redirected to hit the attacker’s gateway (the malicious DHCP server), traffic forwarding rules are applied to pass this traffic through to a legitimate gateway. Meanwhile, the attacker can monitor or 'snoop' on this traffic because it is not encrypted by the VPN.

• Bypassing VPN Encryption: The redirected traffic bypasses the encrypted VPN tunnel and is instead sent over the network interface that communicates directly with the DHCP server. This results in the transmission of unencrypted data.

• Renewal and Lease Manipulation: To maintain control and continuously update the routing table of the VPN user's device, the attacker can set a short lease time on the DHCP server. This frequent renewal requirement forces the VPN user to consistently fetch new DHCP configuration details, including potentially malicious routes.

• VPN Control Channel Unaffected: The VPN control channel remains unaffected and continues to use the physical network interface for communication. The VPN connection still appears secure and connected from the user’s perspective, and any kill switches designed to protect against VPN dropouts are not triggered.

PaloAlto Networks has released a security advisory that identifies vulnerable and unaffected products, while Check Point Security claims their Quantum VPN product is impervious to TunnelVision attacks. Therefore it is highly advised to have your organization's VPN assessed by penetration testing security professionals to ensure whether it is resilient against attacks.

Conclusion

The TunnelVision attack, identified as CVE-2024-3661 potentially exploits VPN security via DHCP option 121 to manipulate the routing tables of VPN clients. This technique allows attackers to reroute VPN-protected traffic through a physical network interface, effectively bypassing VPN encryption and exposing user data to potential interception. Leading VPN product vendors have released statements regarding their products' vulnerability to TunnelVision, but each organization should conduct their own independent, objective-based security assessment to verify their resilience against attacks seeking to exploit CVE-2024-3661.