TunnelVision - How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak (CVE-2024-3661)

Interesting read.

So, in short:

The attacker needs to have access to your LAN and become the DHCP server, e.g. by a starvation attack or timing attacks
The attacked host system needs to support DHCP option 121 (atm basically every OS except Android)
by abusing DHCP option 121, the attacker can push routes to the attacked host system that supersede other rules in most network stacks by having a more specific prefix, e.g. a 192.168.1.1/32 will supersede 0.0.0.0/0
The attacker can now force the attacked host system to route the traffic intended for a VPN virtual network interface (to be encrypted and forwarded to the VPN server) to the (physical) interface used for DHCP
This leads to traffic intended to be sent over the VPN to not get encrypted and being sent outside the tunnel.
This attack can be used before or after a VPN connection is established
Since the VPN tunnel is still established, any implemented kill switch doesn't get triggered

DHCP option 121 is still used for a reason, especially in business networks. At least on Linux, using network namespaces will fix this. Firewall mitigations can also work, but create other (very theoretical) attack surfaces.

3 comments

Interesting read.
So, in short:
The attacker needs to have access to your LAN and become the DHCP server, e.g. by a starvation attack or timing attacks
The attacked host system needs to support DHCP option 121 (atm basically every OS except Android)
by abusing DHCP option 121, the attacker can push routes to the attacked host system that supersede other rules in most network stacks by having a more specific prefix, e.g. a 192.168.1.1/32 will supersede 0.0.0.0/0
The attacker can now force the attacked host system to route the traffic intended for a VPN virtual network interface (to be encrypted and forwarded to the VPN server) to the (physical) interface used for DHCP
This leads to traffic intended to be sent over the VPN to not get encrypted and being sent outside the tunnel.
This attack can be used before or after a VPN connection is established
Since the VPN tunnel is still established, any implemented kill switch doesn't get triggered
DHCP option 121 is still used for a reason, especially in business networks. At least on Linux, using network namespaces will fix this. Firewall mitigations can also work, but create other (very theoretical) attack surfaces.
- Thank you, that was helpful!
Really? A cve for dhcp option 121?