Home / Threat Intelligence bulletins / "TunnelVision" VPN flaw threatens network security

Target Industry 

Indiscriminate, opportunistic targeting. 

Overview  

Researchers at the Leviathan Security Group have made a breakthrough discovery of a technique that can be leveraged to compromise all routing-based Virtual Private Networks (VPNs) by exploiting vulnerabilities in local network configurations. The flaw has been named “TunnelVision” and is being tracked as CVE-2024-3661 (CVSSv3.1 score: 7.6).  

The vulnerability exploits a flaw in the manner in which local networks handle routing decisions, which upon compromise would likely lead to complete VPN bypasses. TunnelVision operates on the local network level and is therefore significantly easier to leverage compared to previous VPN exploits that required sophisticated attacks on VPN servers themselves. This can be achieved without the requirement to compromise critical network components, such as DHCP servers, resulting in attacks being potent and easy to implement 

Impact  

CVE-2024-3661 involves the manipulation of routing tables used by operating systems to determine network traffic paths. Successful compromise would therefore likely allow a threat actor on the same local network to reroute VPN traffic to a different network, bypassing the VPN’s security mechanisms.  

Affected Products 

TunnelVision has been verified to affect multiple operating systems that support DHCP option 121 routes, including Windows, Linux, iOS, and MacOS. Notably, Android is unaffected due to its lack of support for DHCP option 121. 

Containment, Mitigations & Remediations 

According to the analysis conducted by the researchers, there are several mitigation steps that can be implemented to bolster organisational security posture against potential compromise by CVE-2024-3661. 

  • Use devices powered by the Android operating system, which ignores DHCP option 121 
  • Resort to a temporary wireless hotspot controlled by a cellular device to block the attack 
  • Run the VPN from inside of a virtual machine (VM), provided that is not set to “bridged mode,” which causes the VM to replicate another node on the network 
  • Apply deep packet inspection to deny all inbound and outbound traffic from the physical interfaces except for the DHCP and the VPN server. However, it should be noted that this approach opens up the potential for a “side channel” attack that could be leveraged to determine the destination of traffic. 

Indicators of Compromise 

No specific Indicators of Compromise (IoCs) are available currently. 

Threat Landscape 

The discovery of this VPN flaw is a concern for organisations and individuals that rely on VPNs for privacy and security, such as journalists and other media personnel who use these services to shield their activities from hostile actors. Even though the research indicates that the majority of commercial VPN traffic is encrypted via HTTPS, the exposure of metadata still poses significant privacy risks. TunnelVision has revealed challenges for VPN security and underscores the requirement for a more refined understanding of what extent VPN services can provide security.  

Threat Group 

No attribution to specific threat actors or groups has been identified at the time of writing.  

Mitre Methodologies 

Common Weakness Enumeration (CWE) 

  • CWE-501 – Trust Boundary Violation 
  • CWE-306 – Missing Authentication for Critical Function