Security researchers have uncovered a new technique called “TunnelVision” that exposes a fundamental flaw in routing-based Virtual Private Networks (VPNs), potentially allowing attackers to snoop on users’ online activities even when they believe their traffic is securely encrypted.
The technique, discovered by Lizzie Moratti and Dani Cronce from Leviathan Security Group, exploits the way computers handle multiple network connections and routing tables.
When a user connects to a VPN, it becomes another network interface alongside their regular connections, such as home Wi-Fi or a public hotspot. Routing tables, which determine which network should handle the user’s traffic, govern these connections.
TunnelVision takes advantage of this system by manipulating the routing rules, diverting traffic away from the VPN tunnel and onto other networks, even though the user appears to be connected to the VPN securely.
“TunnelVision achieves decloaking: revealing the traffic that should otherwise be protected,” the researchers explained. “The consequences are significant. VPN users who rely on these services for protection on untrusted networks are just as vulnerable as if they weren’t using a VPN at all.”
How TunnelVision Works
The attack relies on exploiting a built-in feature of the Dynamic Host Configuration Protocol (DHCP), which automatically assigns IP addresses and other network configuration settings to devices on a network.
Specifically, TunnelVision abuses DHCP option 121, which allows a DHCP server to supply classless static routes for the VPN software’s routing tables.
An attacker on the same local network as the VPN user can set up a rogue DHCP server and force the targeted host to accept a temporary IP address.
By configuring the DHCP server as the gateway and using traffic forwarding rules, the attacker can snoop on the victim’s traffic while still passing it through to the legitimate gateway, effectively bypassing the VPN encryption.
Widespread Impact
The researchers note that TunnelVision is not dependent on any particular VPN provider or implementation, as it targets the underlying routing mechanisms common to most VPN systems.
Additionally, the vulnerability has likely existed in DHCP since 2002, when option 121 was introduced, meaning threat actors could have been using this technique covertly for years.
Affected operating systems include Windows, Linux, iOS, and macOS, as they implement DHCP clients according to the RFC specification and support DHCP option 121 routes. Android remains unaffected due to its lack of support for option 121.
Mitigations
Leviathan Security Group has reported the vulnerability, assigned CVE-2024-3661, to the Electronic Frontier Foundation (EFF) and the US Cybersecurity and Infrastructure Security Agency (CISA), which helped notify over 50 vendors prior to public disclosure.
To mitigate TunnelVision attacks, the researchers recommend that VPN providers implement network namespaces on supporting operating systems, effectively isolating interfaces and routing tables from local network control.
Additionally, organizations should enable DHCP snooping, ARP protections, and port security on switches, and consider ignoring option 121 for the DHCP server when VPN is in use, although this may result in network connectivity issues in certain scenarios.
The researchers also urge VPN providers to review their marketing materials and cease making claims that their products protect customers on untrusted networks until the TunnelVision issue can be properly addressed.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.