New Attack Leaks VPN Traffic Using Rogue DHCP Servers

"TunnelVision" is a newly discovered cyber threat that exploits a vulnerability in the Dynamic Host Configuration Protocol to bypass the encryption of VPNs. This attack method, outlined in a report by Leviathan Security, enables malicious actors to intercept and surveil unencrypted data while maintaining the facade of a secure VPN connection.

The attack revolves around the misuse of DHCP's option 121, a feature that allows the configuration of routing information on client systems. Attackers execute this exploit by deploying a rogue DHCP server on the same network as the targeted VPN user. The rogue server manipulates the routing tables on the user's device, redirecting VPN traffic away from the intended encrypted tunnel and towards a local network or a malevolent gateway controlled by the attackers.

Security Officer Comments:
Leviathan Security highlights that the vulnerability exploited in this attack, designated as CVE-2024-3661, has existed since at least 2002. Despite its long-standing presence, there have been no documented instances of active exploitation of this vulnerability until Leviathan's report brought it to light.

Suggested Corrections:
Researchers at Leviathan Security have published the following mitigations for the Tunnel Vision flaw (CVE-2024-3661) which impacts Windows, Linux, macOS, and iOS. Due to Android not having support for DHCP option 121, it is the only major operating system not impacted by TunnelVision attacks.

  • Firewall Rules
    • We’ve observed VPN providers denying all inbound and outbound traffic to and from the physical interface via firewall rules. An exception was necessary for the DHCP and VPN server IPs because they are necessary to remain connected to the LAN and VPN server. Deep packet inspection could also allow only the DHCP and VPN protocols instead but would likely incur a performance penalty.
  • Problems with Firewall Rule Suggested Correctionss
    • Firewall mitigations create a selective denial of service for traffic using the DHCP route and introduce a side-channel. An attacker can use this side-channel to determine the destination of traffic. To determine the traffic’s destination, an attacker could perform traffic analysis on the volume of VPN encrypted traffic a user sends. The attacker would need a baseline volume of traffic where no malicious are installed. Then the attacker would need to modify the lease configuration to install routes that deny traffic and observe the difference in volume.
    • With enough samples, it would be possible to statistically prove whether the targeted user is sending traffic to a specific destination. For the average internet user, most internet traffic is already secured by TLS. Therefore, traffic intercepted by TunnelVision will mostly be unreadable except for the destination and protocols. This means that this side-channel has nearly the same impact and should be considered insufficient.
    • The side-channel is flexible in use:
      • The traffic can be checked against a predefined list.
      • The traffic can be selectively denied as a censorship mechanism.
      • The attacker can use IP space denial with binary search to determine all current connections in logarithmic time.
  • Ignore Option 121
    • Another possible mitigation is ignoring option 121 while the VPN is on. We noted that because Android does not implement support for DHCP option 121, it was uniquely unaffected. The downside is that option 121 exists for a reason, and ignoring these routes can break network connectivity (something that is frequently brought up as a reason to implement it on Android). If this mitigation is implemented, it must be mandatory because attackers could simply deny network access until the VPN or user re-enables option 121.
  • Use a Hot Spot or VM
    • Hot spots are temporary Wi-Fi networks controlled by a cellular device. They create a password-locked LAN with automatic network address translation. Because this network is completely controlled by the cellular device and requires a password, an attacker should not have local network access. A virtual machine would also work similarly as long as the VM’s network adapter is not in bridged mode.
  • Do not use untrusted networks if you need absolute confidentiality of your traffic