May 9, 2024 at 02:46PM
TunnelVision is a newly detailed VPN bypass method, assigned CVE identifier CVE-2024-3661, impacting operating systems with DHCP client support. This decloaking technique enables attackers to reroute and potentially inspect VPN traffic. With significant implications for various OSs and VPN tools, mitigating measures include implementing DHCP snooping and ARP protections.
The meeting notes cover a presentation on a new VPN bypass technique called TunnelVision. The technique allows threat actors to intercept and manipulate network traffic by exploiting a vulnerability in the DHCP protocol. TunnelVision manipulates routes to redirect VPN traffic, thereby enabling attackers to read, disrupt, or potentially modify supposedly protected network traffic.
TunnelVision affects major operating systems such as Windows, Linux, macOS, and iOS, except for Android. It also impacts VPN tools that rely solely on routing rules to secure traffic. Mullvad, a VPN provider, confirmed that its desktop versions have firewall rules to block traffic outside the VPN tunnel, but the iOS version is vulnerable to TunnelVision.
The vulnerability has been assigned the CVE identifier CVE-2024-3661 with a CVSS score of 7.6. To mitigate TunnelVision, organizations are advised to implement DHCP snooping, ARP protections, port security on switches, and network namespaces on Linux.
For those interested in further content, they can follow the organization on Twitter and LinkedIn for more exclusive updates.