Leviathan Security Group, in a recent blog post on May 6th, 2024, unveiled details about CVE-2024-3661, known as TunnelVision. This revelation brings to light a significant network vulnerability that poses a threat to VPN (Virtual Private Network) security infrastructure.
Understanding TunnelVision
TunnelVision is described as a sophisticated network technique capable of circumventing VPN encapsulation. Exploiting built-in features of DHCP (Dynamic Host Configuration Protocol), attackers can coerce a target’s traffic to bypass the VPN tunnel, leaving it unencrypted and susceptible to surveillance. This vulnerability impacts a wide array of operating systems, VPN protocols, providers, and self-host administrators, with the exception of Android, which remains immune, and Linux, which can be safeguarded through proper configuration.
Demystifying DHCP
DHCP, the Dynamic Host Configuration Protocol, dynamically assigns IP addresses within local networks. Operating systems equipped with a DHCP client automatically solicit an IP address from the DHCP server. Crucially, DHCP operates on a lease-based system for IP address assignment and incorporates various options allowing real-time configuration adjustments, including setting default gateways and DNS servers.
The Role of DHCP Option 121
Introduced as a replacement for the obsolete Option 33 in the early 2000s, DHCP Option 121 facilitates the installation of classless static routes, significantly enhancing network routing capabilities. Noteworthy is its inability to specify the network interface device for installed routes, relying instead on the device used for the initial DHCP request.
Essence of VPNs
A VPN, or Virtual Private Network, establishes an encrypted tunnel between a client device and a remote server, ensuring secure data transmission over a network. VPN tunnels leverage both physical and virtual Network Interface Cards (NICs), directing traffic through a virtual interface for encryption before transmission via the physical NIC.
Deployment of TunnelVision
Leviathan’s technique for TunnelVision involves assuming control over a victim’s DHCP server and leveraging DHCP Option 121 to inject custom routes into the client’s routing table. By overriding the VPN’s routing via the standard priority system, attackers divert all traffic to their DHCP server over the physical NIC, enabling interception of unencrypted packets for analysis before forwarding them to the original VPN server. Importantly, this manipulation occurs transparently to the user, with VPN clients remaining connected without triggering kill switches.
Protective Measures
- Android users enjoy immunity due to the absence of DHCP Option 121 implementation.
- Linux users are advised to implement network namespaces, with WireGuard being the recommended VPN client due to its support for this feature. See the WireGuard docs here.
- For users on external networks, employing a Wi-Fi hotspot or tethering to an Android device acting as a hotspot is recommended as a temporary measure.
GSTVPN’s Safety Measures
- Encourages users to adopt recommended protective measures.
- Remains vigilant in monitoring upstream providers for vulnerabilities and implements necessary actions.
- Considers the development of bespoke protocols with mitigation strategies to enhance user security.
For further insights, refer to Leviathan Security Group’s blog post on TunnelVision: TunnelVision Blog Post
By meticulously outlining the intricacies of TunnelVision, its implications, and protective strategies, this article aims to equip readers with a comprehensive understanding of the threat landscape surrounding VPN security in the wake of this vulnerability disclosure.