CVE-2024-3661 Vulnerability

Researchers have uncovered a method named TunnelVision, a Virtual Private Network (VPN) evasion technique enabling threat actors to intercept network traffic of victims who are on the same local network.

This 'decloaking' approach has been identified with CVE identifier CVE-2024-3661. It affects all operating systems incorporating a DHCP client that supports DHCP option 121 routes. TunnelVision essentially reroutes unencrypted traffic through a VPN by leveraging an attacker-controlled DHCP server, which uses classless static route option 121 to modify the routing table of VPN users. The DHCP protocol, by design, does not authenticate such option messages, thus exposing them to manipulation.

The Role of the DHCP Protocol

DHCP is a client/server protocol designed to automatically assign Internet Protocol (IP) addresses and related configuration details like subnet masks and default gateways to hosts, enabling them to connect to a network and its resources.

This protocol facilitates the reliable allocation of IP addresses through a server that maintains a pool of available addresses and assigns one to any DHCP-enabled client upon network startup.

Since these IP addresses are dynamic (leased) rather than static (permanently assigned), addresses that are no longer in use are automatically returned to the pool for reassignment.

The vulnerability allows an attacker with the capability to send DHCP messages to manipulate routing, redirecting VPN traffic. This exploit permits the attacker to potentially view, disrupt, or modify network traffic that was expected to be secure under the VPN.  Since this method operates independently of VPN technologies or underlying protocols, it is completely unaffected by the VPN provider or implementation used.

The CVE-2024-3661 Vulnerability May Affect Most Major Operating Systems

In essence, TunnelVision deceives VPN users into thinking their connections are secure and encrypted through a tunnel but redirects them to the attacker's server for potential inspection. To successfully expose VPN traffic, the targeted host's DHCP client must support DHCP option 121 and accept a lease from the attacker's server.

This attack resembles TunnelCrack, which leaks traffic from a protected VPN tunnel when connecting to untrusted Wi-Fi networks or rogue ISPs, leading to adversary-in-the-middle (AitM) attacks.

The issue impacts major operating systems such as Windows, Linux, macOS, and iOS, but not Android due to its lack of support for DHCP option 121. VPN tools relying solely on routing rules to secure traffic are also affected.