DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.
New attack leaks VPN traffic using rogue DHCP servers By Bill Toulas May 7, 2024 02:46 PM 0 A new attack dubbed "TunnelVision" can route traffic outside a VPN's encryption tunnel, allowing attackers to snoop on unencrypted traffic while maintaining the appearance of a secure VPN connection. The method, described in detail in a report by Leviathan Security, relies on the abuse of Dynamic Host Configuration Protocol's (DHCP) option 121, which permits the configuration of classless static routes on...
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Avoid traffic-redirecting snoops who have TunnelVision
A newly discovered vulnerability undermines countless VPN clients in that their traffic can be quietly routed away from their encrypted tunnels and intercepted by snoops on the network. Dubbed TunnelVision by the eggheads at Leviathan Security Group who uncovered and documented it, the technique (CVE-2024-3661) can result in a VPN user believing their connection is properly secured, and being routed through an encrypted tunnel as usual, while an attacker on their network has instead redirected t...