Researchers have unveiled a VPN bypass technique called TunnelVision that enables attackers to intercept a victim’s network traffic when on the same local network.
The method, known as “decloaking,” has been identified with CVE-2024-3661 (CVSS score: 7.6) and affects operating systems that use a DHCP client and support DHCP option 121 routes.
TunnelVision works by routing unencrypted traffic through a VPN by manipulating a DHCP server using classless static route option 121 to alter the VPN user’s routing table.
The vulnerability arises because the DHCP protocol does not authenticate such option messages, making them susceptible to tampering.
DHCP is a protocol that automatically assigns an IP address to a host, along with other network configuration details like a subnet mask and default gateway.
In essence, TunnelVision allows an attacker to redirect VPN traffic by manipulating routes, potentially exposing or modifying traffic meant to be secure within the VPN.
The attack does not rely on exploiting VPN technologies or protocols, making it independent of the VPN provider or implementation.
To defend against TunnelVision, organizations are advised to implement DHCP snooping, ARP protections, and port security on switches. Additionally, using network namespaces on Linux can help mitigate the risk.
