Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

New ‘TunnelVision’ Technique Leaks Traffic From Any VPN System

A new VPN bypass technique allows threat actors to snoop on victims’ traffic by forcing it off the VPN tunnel using built-in features of DHCP.

A new VPN bypass technique allows threat actors to snoop on victims’ traffic by forcing it off the VPN tunnel using built-in features of DHCP, penetration testing firm Leviathan Security Group warns.

Called TunnelVision and relying on manipulating route tables, the set of rules that computers use to decide which network traffic should be sent through, an attacker could use the technique without having to compromise the DHCP server.

The technique exploits CVE-2024-3661, a DHCP design flaw where messages such as the classless static route (option 121) are not authenticated, exposing them to manipulation.

“An attacker with the ability to send DHCP messages can manipulate routes to redirect VPN traffic, allowing the attacker to read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN,” a NIST advisory reads.

By exploiting the vulnerability, an attacker on the local network could redirect traffic to the local network instead of the VPN. Leviathan, which calls the bypass ‘decloaking’, has published full technical details on TunnelVision.

To mount an attack, a threat actor only needs to be on the same network as the victim, the penetration testing firm explains. However, successful decloaking is dependent on the targeted host accepting a DHCP lease from the attacker-controlled server, and for option 121 to be implemented by the host’s DHCP client.

According to Leviathan, an attacker could become the victim’s DHCP server by targeting the true DHCP server with a starvation attack, by racing to respond to broadcasts, and by performing ARP spoofing, thus intercepting traffic between the client and the true DHCP server.

“Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway. When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it,” Leviathan explains.

Advertisement. Scroll to continue reading.

The security firm also notes that, while the attack is in progress, the victim is shown as still being connected to the VPN.

Because the security defect is not dependent on the VPN provider or implementation, most VPN systems based on IP routing are believed to be vulnerable to TunnelVision.

Leviathan believes that the vulnerability has existed in DHCP since 2002, when option 121 was introduced, and that the attack technique “could have already been discovered and potentially used in the wild”.

A possible mitigation that does not impact the privacy of VPN users would be for VPN providers to implement network namespaces on supporting operating systems (the feature is available on Linux systems), which could isolate interfaces and routing tables from the local network’s control.

Due to the broad implications of the vulnerability, Leviathan has reported it to the Electronic Frontier Foundation (EFF) and the US cybersecurity agency CISA, which helped notify over 50 vendors prior to the public disclosure.

Related: Research Shows How Attackers Can Abuse EDR Security Products

Related: SMTP Smuggling Allows Spoofed Emails to Bypass Authentication Protocols

Related: New ‘Pool Party’ Process Injection Techniques Undetected by EDR Solutions

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.