May 8, 2024 at 10:01AM
A new VPN bypass technique, TunnelVision, manipulates DHCP route tables to force traffic off the VPN tunnel, allowing threat actors to snoop on and manipulate network traffic. Exploiting a DHCP design flaw, it does not depend on compromising the DHCP server. Leviathan Security Group recommends mitigation strategies to VPN providers and has reported the vulnerability to relevant authorities.
From the meeting notes, it is evident that a new VPN bypass technique named TunnelVision has been discovered by Leviathan Security Group. This technique allows threat actors to intercept and redirect VPN traffic, potentially exposing sensitive information to unauthorized access. The technique exploits a DHCP design flaw (CVE-2024-3661) and can be executed by an attacker who is on the same network as the victim.
The attack involves the attacker running a DHCP server on the same network as the victim and manipulating routing tables to force the traffic through the attacker’s server, enabling them to intercept and snoop on the traffic. Notably, the attack is not dependent on the specific VPN provider or implementation, making it widely applicable to VPN systems based on IP routing.
To mitigate this vulnerability without impacting the privacy of VPN users, Leviathan suggests VPN providers implement network namespaces on supporting operating systems. This feature, available on Linux systems, could isolate interfaces and routing tables from the local network’s control.
As a result of the significant impact of this vulnerability, Leviathan has reported it to the Electronic Frontier Foundation (EFF) and the US cybersecurity agency CISA, which in turn notified over 50 vendors prior to the public disclosure.
In conclusion, the discovery of TunnelVision presents a critical security issue for VPN users, and proactive measures need to be taken to address this vulnerability and protect network traffic from potential exploitation.