close
close

New TunnelVision attack allows VPN traffic hijacking through DHCP manipulation

May 9, 2024NewsroomEncryption/Data Protection

Researchers have described a so-called Virtual Private Network (VPN) bypass technique Tunnel vision This allows threat actors to spy on the victim’s network traffic simply by being on the same local network.

The Decloaking method has been assigned the CVE identifier CVE-2024-3661 (CVSS score: 7.6). It affects all operating systems that implement a DHCP client and supports DHCP Option 121 routes.

At its core, TunnelVision involves routing traffic without encryption through a VPN using an attacker-configured DHCP server that uses the classless static route option 121 to set a route in the VPN user’s routing table.

This is also because the DHCP protocol inherently does not authenticate such option messages, thus exposing them to manipulation.

DHCP is a client/server protocol that automatically provides an Internet Protocol (IP) host with its IP address and other related configuration information, such as the subnet mask and default gateway, to access the network and its resources.

Internet security

It also helps configure IP addresses reliably through a server that maintains a pool of IP addresses and leases an address to each DHCP-enabled client when it boots on the network.

Because these IP addresses are dynamic (i.e. leased) rather than static (i.e. permanently assigned), addresses that are no longer in use are automatically returned to the pool for reassignment.

In short, the vulnerability allows an attacker who can send DHCP messages to manipulate routes to redirect VPN traffic, thereby reading, interfering with, or potentially altering network traffic that the VPN was intended to protect.

“Because this technique does not rely on the exploitation of VPN technologies or underlying protocols, it works completely independently of the VPN provider or VPN implementation,” said researchers Dani Cronce and Lizzie Moratti of Leviathan Security Group.

“Our technique is to run a DHCP server on the same network as a target VPN user and also set our DHCP configuration to use itself as a gateway. When traffic reaches our gateway, we use traffic routing rules on the DHCP server to route the traffic to a legitimate gateway while we spy on it.”

In other words, TunnelVision tricks a VPN user into believing that their connections are secured and being routed through an encrypted tunnel, when in reality they have been redirected to the attacker’s server so that they can potentially be audited.

However, to successfully unmask VPN traffic, the target host’s DHCP client must implement DHCP option 121 and accept a DHCP lease from the attacker-controlled server.

The attack is also similar to TunnelCrack, which is designed to allow traffic to pass outside of a protected VPN tunnel when connecting to an untrusted Wi-Fi network or a rogue ISP, resulting in adversary-in-the-middle attacks (AitM) leads.

The issue affects all major operating systems such as Windows, Linux, macOS and iOS except Android as it does not support DHCP option 121. It also affects VPN tools that rely solely on routing rules to secure the host’s traffic.

Mullvad has since confirmed that the desktop versions of its software have firewall rules to block all traffic to public IP addresses outside the VPN tunnel, but acknowledged that the iOS version is vulnerable to TunnelVision.

Internet security

However, due to the complexity of the undertaking, which the Swedish company says has been working on for “some time,” a fix has yet to be integrated and delivered.

“The TunnelVision vulnerability (CVE-2024-3661) exposes a method for attackers to bypass VPN encapsulation and redirect traffic outside the VPN tunnel,” Zscaler researchers said, describing it as a technique that uses a DHCP starvation attack to create a side channel.

“This technique uses DHCP option 121 to route traffic unencrypted over a VPN and ultimately send it to the Internet via a side channel created by the attacker.”

To mitigate TunnelVision, organizations are recommended to implement DHCP snooping, ARP protection, and port security on switches. It is also recommended to implement network namespaces on Linux to resolve the behavior.

Did you find this article interesting? follow us on Twitter and LinkedIn to read more exclusive content we publish.