{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-3661", "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "state": "PUBLISHED", "assignerShortName": "cisa-cg", "dateReserved": "2024-04-11T17:24:22.637Z", "datePublished": "2024-05-06T18:31:21.217Z", "dateUpdated": "2024-08-28T19:09:06.995Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "DHCP", "vendor": "IETF", "versions": [{"status": "affected", "version": "0"}]}], "datePublic": "2002-12-31T01:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "DHCP can add routes to a client\u2019s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN."}], "value": "DHCP can add routes to a client\u2019s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-501", "description": "CWE-501 Trust Boundary Violation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg", "dateUpdated": "2024-07-01T15:04:50.790Z"}, "references": [{"url": "https://datatracker.ietf.org/doc/html/rfc2131#section-7"}, {"url": "https://datatracker.ietf.org/doc/html/rfc3442#section-7"}, {"url": "https://tunnelvisionbug.com/"}, {"url": "https://www.leviathansecurity.com/research/tunnelvision"}, {"url": "https://news.ycombinator.com/item?id=40279632"}, {"url": "https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/"}, {"url": "https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/"}, {"url": "https://issuetracker.google.com/issues/263721377"}, {"url": "https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision"}, {"url": "https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability"}, {"url": "https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic"}, {"url": "https://news.ycombinator.com/item?id=40284111"}, {"url": "https://www.agwa.name/blog/post/hardening_openvpn_for_def_con"}, {"url": "https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/"}, {"url": "https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661"}, {"url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009"}, {"url": "https://bst.cisco.com/quickview/bug/CSCwk05814"}, {"url": "https://security.paloaltonetworks.com/CVE-2024-3661"}, {"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-170"}, {"url": "https://my.f5.com/manage/s/article/K000139553"}], "source": {"discovery": "UNKNOWN"}, "title": "DHCP routing options can manipulate interface-based VPN traffic", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:20:00.420Z"}, "title": "CVE Program Container", "references": [{"url": "https://datatracker.ietf.org/doc/html/rfc2131#section-7", "tags": ["x_transferred"]}, {"url": "https://datatracker.ietf.org/doc/html/rfc3442#section-7", "tags": ["x_transferred"]}, {"url": "https://tunnelvisionbug.com/", "tags": ["x_transferred"]}, {"url": "https://www.leviathansecurity.com/research/tunnelvision", "tags": ["x_transferred"]}, {"url": "https://news.ycombinator.com/item?id=40279632", "tags": ["x_transferred"]}, {"url": "https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/", "tags": ["x_transferred"]}, {"url": "https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/", "tags": ["x_transferred"]}, {"url": "https://issuetracker.google.com/issues/263721377", "tags": ["x_transferred"]}, {"url": "https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision", "tags": ["x_transferred"]}, {"url": "https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability", "tags": ["x_transferred"]}, {"url": "https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic", "tags": ["x_transferred"]}, {"url": "https://news.ycombinator.com/item?id=40284111", "tags": ["x_transferred"]}, {"url": "https://www.agwa.name/blog/post/hardening_openvpn_for_def_con", "tags": ["x_transferred"]}, {"url": "https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/", "tags": ["x_transferred"]}, {"url": "https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661", "tags": ["x_transferred"]}, {"url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009", "tags": ["x_transferred"]}, {"url": "https://bst.cisco.com/quickview/bug/CSCwk05814", "tags": ["x_transferred"]}, {"url": "https://security.paloaltonetworks.com/CVE-2024-3661", "tags": ["x_transferred"]}, {"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-170", "tags": ["x_transferred"]}, {"url": "https://my.f5.com/manage/s/article/K000139553", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-05-08T04:00:07.962328Z", "id": "CVE-2024-3661", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-28T19:09:06.995Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://datatracker.ietf.org/doc/html/rfc2131#section-7", "tags": ["x_transferred"]}, {"url": "https://datatracker.ietf.org/doc/html/rfc3442#section-7", "tags": ["x_transferred"]}, {"url": "https://tunnelvisionbug.com/", "tags": ["x_transferred"]}, {"url": "https://www.leviathansecurity.com/research/tunnelvision", "tags": ["x_transferred"]}, {"url": "https://news.ycombinator.com/item?id=40279632", "tags": ["x_transferred"]}, {"url": "https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/", "tags": ["x_transferred"]}, {"url": "https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/", "tags": ["x_transferred"]}, {"url": "https://issuetracker.google.com/issues/263721377", "tags": ["x_transferred"]}, {"url": "https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision", "tags": ["x_transferred"]}, {"url": "https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability", "tags": ["x_transferred"]}, {"url": "https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic", "tags": ["x_transferred"]}, {"url": "https://news.ycombinator.com/item?id=40284111", "tags": ["x_transferred"]}, {"url": "https://www.agwa.name/blog/post/hardening_openvpn_for_def_con", "tags": ["x_transferred"]}, {"url": "https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/", "tags": ["x_transferred"]}, {"url": "https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661", "tags": ["x_transferred"]}, {"url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009", "tags": ["x_transferred"]}, {"url": "https://bst.cisco.com/quickview/bug/CSCwk05814", "tags": ["x_transferred"]}, {"url": "https://security.paloaltonetworks.com/CVE-2024-3661", "tags": ["x_transferred"]}, {"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-170", "tags": ["x_transferred"]}, {"url": "https://my.f5.com/manage/s/article/K000139553", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:20:00.420Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3661", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-08T04:00:07.962328Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-28T19:09:03.429Z"}}], "cna": {"title": "DHCP routing options can manipulate interface-based VPN traffic", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "IETF", "product": "DHCP", "versions": [{"status": "affected", "version": "0"}], "defaultStatus": "affected"}], "datePublic": "2002-12-31T01:00:00.000Z", "references": [{"url": "https://datatracker.ietf.org/doc/html/rfc2131#section-7"}, {"url": "https://datatracker.ietf.org/doc/html/rfc3442#section-7"}, {"url": "https://tunnelvisionbug.com/"}, {"url": "https://www.leviathansecurity.com/research/tunnelvision"}, {"url": "https://news.ycombinator.com/item?id=40279632"}, {"url": "https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/"}, {"url": "https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/"}, {"url": "https://issuetracker.google.com/issues/263721377"}, {"url": "https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision"}, {"url": "https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability"}, {"url": "https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic"}, {"url": "https://news.ycombinator.com/item?id=40284111"}, {"url": "https://www.agwa.name/blog/post/hardening_openvpn_for_def_con"}, {"url": "https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/"}, {"url": "https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661"}, {"url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009"}, {"url": "https://bst.cisco.com/quickview/bug/CSCwk05814"}, {"url": "https://security.paloaltonetworks.com/CVE-2024-3661"}, {"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-170"}, {"url": "https://my.f5.com/manage/s/article/K000139553"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "DHCP can add routes to a client\u2019s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.", "supportingMedia": [{"type": "text/html", "value": "DHCP can add routes to a client\u2019s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-501", "description": "CWE-501 Trust Boundary Violation"}]}], "providerMetadata": {"orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg", "dateUpdated": "2024-07-01T15:04:50.790Z"}}}, "cveMetadata": {"cveId": "CVE-2024-3661", "state": "PUBLISHED", "dateUpdated": "2024-08-28T19:09:06.995Z", "dateReserved": "2024-04-11T17:24:22.637Z", "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "datePublished": "2024-05-06T18:31:21.217Z", "assignerShortName": "cisa-cg"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:linux:*:*", "matchCriteriaId": "F0918F54-0052-42BD-A73E-CFF198B9EC48", "versionEndExcluding": "7.2.5", "versionStartIncluding": "6.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:macos:*:*", "matchCriteriaId": "81B7F626-84B5-47A5-959F-735D6250C147", "versionEndExcluding": "7.2.5", "versionStartIncluding": "6.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:windows:*:*", "matchCriteriaId": "5E714EAF-73AB-41EA-AC57-E59B78FD7853", "versionEndExcluding": "7.2.5", "versionStartIncluding": "6.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:forticlient:7.4.0:*:*:*:*:linux:*:*", "matchCriteriaId": "7B728862-1FAB-47B4-823D-2C19CBF76DAD", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:forticlient:7.4.0:*:*:*:*:macos:*:*", "matchCriteriaId": "0A079CA4-D957-402A-B899-31F26A89DF00", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:forticlient:7.4.0:*:*:*:*:windows:*:*", "matchCriteriaId": "6B512696-8596-4458-ADC9-24DD3C6C377B", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cisco:anyconnect_vpn_client:-:*:*:*:*:*:*:*", "matchCriteriaId": "59289E79-5A0A-4675-B7D4-C759401736A9", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:secure_client:-:*:*:*:*:*:*:*", "matchCriteriaId": "FE81F5D2-269B-4098-AA9F-2DBCA3CB8813", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "8EEBB31D-BC9C-4EAD-86B1-8B95AB118A2D", "vulnerable": true}, {"criteria": "cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:linux:*:*", "matchCriteriaId": "4814D5DB-A96C-4D91-9DAE-87FF0DA101D2", "vulnerable": true}, {"criteria": "cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:macos:*:*", "matchCriteriaId": "72F88FEB-766B-4FCD-B78E-0E8E5E2B5CCA", "vulnerable": true}, {"criteria": "cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:windows:*:*", "matchCriteriaId": "D5537140-CDA3-4410-B101-24D1AB3624EA", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:citrix:secure_access_client:*:*:*:*:*:*:*:*", "matchCriteriaId": "CB344FC1-AD7C-4988-A703-8B2CD0AEF57C", "versionEndExcluding": "24.06.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*", "matchCriteriaId": "B5415705-33E5-46D5-8E4D-9EBADC8C5705", "vulnerable": false}, {"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:citrix:secure_access_client:*:*:*:*:*:*:*:*", "matchCriteriaId": "697D4070-101A-45B1-99B1-F33ECF03945C", "versionEndExcluding": "24.8.5", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "FB16CE4D-183C-44B9-A5FF-6F9FA3C0A618", "versionEndIncluding": "7.2.5", "versionStartIncluding": "7.2.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "3A7F605E-EB10-40FB-98D6-7E3A95E310BC", "versionEndIncluding": "15.1.10", "versionStartIncluding": "15.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "E8FEC1DE-D11F-4DC8-8B21-51BAF1731A5F", "versionEndIncluding": "16.1.5", "versionStartIncluding": "16.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "9DE3A941-B898-4EAB-9073-C6A312E59FC5", "versionEndIncluding": "17.1.2", "versionStartIncluding": "17.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:watchguard:ipsec_mobile_vpn_client:*:*:*:*:*:macos:*:*", "matchCriteriaId": "FFB4A7FD-AC96-490D-9CBB-72166D46C4FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:watchguard:ipsec_mobile_vpn_client:*:*:*:*:*:windows:*:*", "matchCriteriaId": "2EAD2DBA-3038-4EF8-8BAE-80BD3DA97B33", "vulnerable": true}, {"criteria": "cpe:2.3:a:watchguard:mobile_vpn_with_ssl:*:*:*:*:*:macos:*:*", "matchCriteriaId": "AB8A39F6-8AD5-4B9D-92E4-7E28EE78C5B2", "vulnerable": true}, {"criteria": "cpe:2.3:a:watchguard:mobile_vpn_with_ssl:*:*:*:*:*:windows:*:*", "matchCriteriaId": "0AF97158-6BB8-47CA-8214-98D2F801C8BA", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zscaler:client_connector:*:*:*:*:*:linux:*:*", "matchCriteriaId": "1F206869-8FCE-40AE-ADDC-62F221E00004", "versionEndExcluding": "1.5.1.25", "vulnerable": true}, {"criteria": "cpe:2.3:a:zscaler:client_connector:*:*:*:*:*:macos:*:*", "matchCriteriaId": "7D37D825-E2B8-4924-AA8A-ACB0E08A3C61", "versionEndExcluding": "4.2.0.282", "vulnerable": true}, {"criteria": "cpe:2.3:a:zscaler:client_connector:*:*:*:*:*:linux:*:*", "matchCriteriaId": "4EC77FDF-1E1A-4638-9C9F-DA4205FDD69B", "versionEndExcluding": "3.7.0.134", "versionStartIncluding": "3.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:zscaler:client_connector:-:*:*:*:*:windows:*:*", "matchCriteriaId": "C057E1BC-C7BA-4EAF-8200-560035118FA0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "DHCP can add routes to a client\u2019s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN."}, {"lang": "es", "value": "Por dise\u00f1o, el protocolo DHCP no autentica mensajes, incluida, por ejemplo, la opci\u00f3n de ruta est\u00e1tica sin clases (121). Un atacante con la capacidad de enviar mensajes DHCP puede manipular rutas para redirigir el tr\u00e1fico VPN, lo que le permite leer, interrumpir o posiblemente modificar el tr\u00e1fico de red que se esperaba que estuviera protegido por la VPN. Muchos, si no la mayor\u00eda, de los sistemas VPN basados en enrutamiento IP son susceptibles a este tipo de ataques."}], "id": "CVE-2024-3661", "lastModified": "2025-01-15T16:50:28.667", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-05-06T19:15:11.027", "references": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Press/Media Coverage"], "url": "https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Vendor Advisory"], "url": "https://bst.cisco.com/quickview/bug/CSCwk05814"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Related"], "url": "https://datatracker.ietf.org/doc/html/rfc2131#section-7"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Related"], "url": "https://datatracker.ietf.org/doc/html/rfc3442#section-7"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Vendor Advisory"], "url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-170"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Issue Tracking"], "url": "https://issuetracker.google.com/issues/263721377"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Press/Media Coverage"], "url": "https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Issue Tracking"], "url": "https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Third Party Advisory"], "url": "https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Vendor Advisory"], "url": "https://my.f5.com/manage/s/article/K000139553"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Issue Tracking"], "url": "https://news.ycombinator.com/item?id=40279632"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Issue Tracking"], "url": "https://news.ycombinator.com/item?id=40284111"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Vendor Advisory"], "url": "https://security.paloaltonetworks.com/CVE-2024-3661"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Vendor Advisory"], "url": "https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Exploit", "Third Party Advisory"], "url": "https://tunnelvisionbug.com/"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Related"], "url": "https://www.agwa.name/blog/post/hardening_openvpn_for_def_con"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Third Party Advisory"], "url": "https://www.leviathansecurity.com/research/tunnelvision"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Press/Media Coverage"], "url": "https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Press/Media Coverage"], "url": "https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://bst.cisco.com/quickview/bug/CSCwk05814"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Related"], "url": "https://datatracker.ietf.org/doc/html/rfc2131#section-7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Related"], "url": "https://datatracker.ietf.org/doc/html/rfc3442#section-7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-170"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://issuetracker.google.com/issues/263721377"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Press/Media Coverage"], "url": "https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://my.f5.com/manage/s/article/K000139553"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://news.ycombinator.com/item?id=40279632"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://news.ycombinator.com/item?id=40284111"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://security.paloaltonetworks.com/CVE-2024-3661"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://tunnelvisionbug.com/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Related"], "url": "https://www.agwa.name/blog/post/hardening_openvpn_for_def_con"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.leviathansecurity.com/research/tunnelvision"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Press/Media Coverage"], "url": "https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability"}], "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-501"}], "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2025:0288", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "NetworkManager-1:1.40.16-18.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-01-13T00:00:00Z"}, {"advisory": "RHSA-2025:0288", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "NetworkManager-1:1.40.16-18.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-01-13T00:00:00Z"}, {"advisory": "RHSA-2025:0377", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "NetworkManager-1:1.48.10-5.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-01-16T00:00:00Z"}, {"advisory": "RHSA-2025:0377", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "NetworkManager-1:1.48.10-5.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-01-16T00:00:00Z"}], "bugzilla": {"description": "DHCP: DHCP routing options can manipulate interface-based VPN traffic", "id": "2320141", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2320141"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.6", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "status": "verified"}, "cwe": "(CWE-306|CWE-501)", "details": ["DHCP can add routes to a client\u2019s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.", "DHCP can add routes to a client\u2019s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic expected to be protected by the VPN."], "mitigation": {"lang": "en:us", "value": "The mitigation steps also ensure that the applications using the VPN cannot access local resources outside the VPN in full-tunnel mode. If access to local resources outside the VPN is needed, additional routing configuration is necessary.\nThe following steps demonstrate how to configure VPN profiles with NetworkManager to prioritize VPN routes over DHCP routes. This uses routing rules with a higher priority than the rule to lookup the main routing table. This means that the VPN routing table is consulted prior to the main routing table. Please note that a higher priority is configured by setting a lower priority value in the routing configuration.\n1. There were two bugs in NetworkManager that prevented these steps from working with profiles using VPN plugins, such as libreswan. Therefore first update NetworkManager:\n- On RHEL 8.10, use NetworkManager-1.40.16-18.el8_10 or later.\n- On RHEL 9.5 and later, use NetworkManager-1.48.10-5.el9_5 or later.\n2. In the next steps, you will assign the VPN routes to a dedicated routing table. By default, RHEL does not use the routing tables 1-252, and you can use one of them. If you configured the system to use some of these tables, identify a free routing table number. The following example uses the routing table 75.\n3. Optional: Configure a name for the routing table by adding a line, such as the following, to the /etc/iproute2/rt_tables file:\n75 vpn\nThis makes the output of ip commands easier to understand. Note that NetworkManager only supports using a table ID and not the table name.\n4. Configure the VPN connection profile to place the VPN routes in a dedicated routing table:\n# nmcli connection modify <VPN_connection_profile> ipv4.route-table <routing_table_number>\nFor example:\n# nmcli connection modify \"Company VPN\" ipv4.route-table 75\n5. Set a low priority value for the table you used in the previous command:\n# nmcli connection modify <VPN_connection_profile> ipv4.routing-rules \"priority <low_priority_value> from all table <routing_table_number>\"\nThe priority value can be any value between 1 and 32766 but, the lower the value, the higher the priority!\nFor example:\n# nmcli connection modify \"Company VPN\" ipv4.routing-rules \"priority 32345 from all table 75\"\n6. Reconnect the VPN:\n# nmcli connection down <VPN_connection_profile>\n# nmcli connection up <VPN_connection_profile>\nThis only prevents the TunnelVision techniques and possibly related issues regarding IPv4. For IPv6 it might be necessary to repeat the steps for IPv6.\nIf other software than NetworkManager is used to configure a VPN, it might need similar configuration changes to mitigate against TunnelVision."}, "name": "CVE-2024-3661", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "dhcpcd", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "NetworkManager", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "dhcp", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "NetworkManager", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "dhcp", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "NetworkManager", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "dhcp", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "dhcp", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-06T18:31:21Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-3661\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-3661\nhttps://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/\nhttps://bst.cisco.com/quickview/bug/CSCwk05814\nhttps://datatracker.ietf.org/doc/html/rfc2131#section-7\nhttps://datatracker.ietf.org/doc/html/rfc3442#section-7\nhttps://fortiguard.fortinet.com/psirt/FG-IR-24-170\nhttps://issuetracker.google.com/issues/263721377\nhttps://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/\nhttps://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic\nhttps://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision\nhttps://my.f5.com/manage/s/article/K000139553\nhttps://news.ycombinator.com/item?id=40279632\nhttps://news.ycombinator.com/item?id=40284111\nhttps://security.paloaltonetworks.com/CVE-2024-3661\nhttps://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661\nhttps://tunnelvisionbug.com/\nhttps://www.agwa.name/blog/post/hardening_openvpn_for_def_con\nhttps://www.leviathansecurity.com/research/tunnelvision\nhttps://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/\nhttps://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009\nhttps://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability"], "statement": "This vulnerability is also known as TunnelVision and it describes a technique to use DHCP configuration to manipulate hosts to send traffic to an attacker's host instead of through a VPN, as expected. According to MITRE it is reported as a vulnerability against DHCP. However, the DHCP protocol works as intended and as a protocol without cryptographic protection, attackers do not break a security boundary in the DHCP protocol by using the DHCP option 121. To prevent against the attack vector, users or VPN configuration software need to configure the VPN correctly or use other techniques to avoid that a DHCP configuration manipulates routing decisions for packets intended to be contained in the VPN.\nThis affects only situations where hosts use DHCP in a network and attackers can control a DHCP server. It affects full-tunnel and split-tunnel based VPNs. IPSec policy-based VPNs do not send unencrypted traffic to attackers as they encrypt traffic regardless of the routing decision.", "threat_severity": "Moderate"}

{}