CVE-2024-3661

DHCP can add routes to a clients routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.6 HIGH
ADJACENT_NETWORK
LOW
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
cisa-cgCNA
7.6 HIGH
ADJACENT_NETWORK
LOW
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 83%
VendorProductVersion
fortinetforticlient
6.4.0 ≤
𝑥
< 7.2.5
fortinetforticlient
6.4.0 ≤
𝑥
< 7.2.5
fortinetforticlient
6.4.0 ≤
𝑥
< 7.2.5
fortinetforticlient
7.4.0
fortinetforticlient
7.4.0
fortinetforticlient
7.4.0
ciscoanyconnect_vpn_client
-
ciscosecure_client
-
paloaltonetworksglobalprotect
*
paloaltonetworksglobalprotect
*
paloaltonetworksglobalprotect
*
citrixsecure_access_client
𝑥
< 24.06.1
citrixsecure_access_client
𝑥
< 24.8.5
f5big-ip_access_policy_manager
7.2.3 ≤
𝑥
≤ 7.2.5
f5big-ip_access_policy_manager
15.1.0 ≤
𝑥
≤ 15.1.10
f5big-ip_access_policy_manager
16.1.0 ≤
𝑥
≤ 16.1.5
f5big-ip_access_policy_manager
17.1.0 ≤
𝑥
≤ 17.1.2
watchguardipsec_mobile_vpn_client
*
watchguardipsec_mobile_vpn_client
*
watchguardmobile_vpn_with_ssl
*
watchguardmobile_vpn_with_ssl
*
zscalerclient_connector
𝑥
< 1.5.1.25
zscalerclient_connector
𝑥
< 4.2.0.282
zscalerclient_connector
3.7 ≤
𝑥
< 3.7.0.134
zscalerclient_connector
-
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
gadmin-openvpn-client
plucky
dne
oracular
dne
noble
dne
mantic
dne
jammy
dne
focal
ignored
bionic
ignored
xenial
ignored
gadmin-openvpn-server
plucky
dne
oracular
dne
noble
dne
mantic
dne
jammy
dne
focal
ignored
bionic
ignored
xenial
ignored
kvpnc
plucky
dne
oracular
dne
noble
dne
mantic
dne
jammy
dne
focal
dne
bionic
ignored
xenial
ignored
mozillavpn
plucky
dne
oracular
dne
noble
dne
mantic
dne
jammy
ignored
focal
dne
pptpd
plucky
dne
oracular
dne
noble
dne
mantic
ignored
jammy
ignored
focal
ignored
bionic
ignored
xenial
ignored
trusty
ignored
openvpn
plucky
ignored
oracular
ignored
noble
ignored
mantic
ignored
jammy
ignored
focal
ignored
bionic
ignored
xenial
ignored
trusty
ignored
libreswan
plucky
ignored
oracular
ignored
noble
ignored
mantic
ignored
jammy
ignored
focal
ignored
bionic
ignored
n2n
plucky
ignored
oracular
ignored
noble
ignored
mantic
ignored
jammy
ignored
focal
ignored
bionic
ignored
xenial
ignored
connman
plucky
ignored
oracular
ignored
noble
ignored
mantic
ignored
jammy
ignored
focal
ignored
bionic
ignored
xenial
ignored
golang-github-apparentlymart-go-openvpn-mgmt
plucky
ignored
oracular
ignored
noble
ignored
mantic
ignored
jammy
ignored
focal
ignored
network-manager-fortisslvpn
plucky
ignored
oracular
ignored
noble
ignored
mantic
ignored
jammy
ignored
focal
ignored
bionic
ignored
network-manager-iodine
plucky
ignored
oracular
ignored
noble
ignored
mantic
ignored
jammy
ignored
focal
ignored
bionic
ignored
xenial
ignored
network-manager-l2tp
plucky
ignored
oracular
ignored
noble
ignored
mantic
ignored
jammy
ignored
focal
ignored
bionic
ignored
network-manager-openconnect
plucky
ignored
oracular
ignored
noble
ignored
mantic
ignored
jammy
ignored
focal
ignored
bionic
ignored
xenial
ignored
network-manager-openvpn
plucky
ignored
oracular
ignored
noble
ignored
mantic
ignored
jammy
ignored
focal
ignored
bionic
ignored
xenial
ignored
network-manager-pptp
plucky
ignored
oracular
ignored
noble
ignored
mantic
ignored
jammy
ignored
focal
ignored
bionic
ignored
xenial
ignored
network-manager-sstp
plucky
ignored
oracular
ignored
noble
ignored
mantic
ignored
jammy
ignored
focal
dne
network-manager-strongswan
plucky
ignored
oracular
ignored
noble
ignored
mantic
ignored
jammy
ignored
focal
ignored
bionic
ignored
xenial
ignored
network-manager-vpnc
plucky
ignored
oracular
ignored
noble
ignored
mantic
ignored
jammy
ignored
focal
ignored
bionic
ignored
xenial
ignored
openconnect
plucky
ignored
oracular
ignored
noble
ignored
mantic
ignored
jammy
ignored
focal
ignored
bionic
ignored
xenial
ignored
openfortivpn
plucky
ignored
oracular
ignored
noble
ignored
mantic
ignored
jammy
ignored
focal
ignored
bionic
ignored
pptp-linux
plucky
ignored
oracular
ignored
noble
ignored
mantic
ignored
jammy
ignored
focal
ignored
bionic
ignored
xenial
ignored
quicktun
plucky
ignored
oracular
ignored
noble
ignored
mantic
ignored
jammy
ignored
focal
ignored
bionic
ignored
riseup-vpn
plucky
ignored
oracular
ignored
noble
ignored
mantic
ignored
jammy
dne
focal
dne
softether-vpn
plucky
ignored
oracular
ignored
noble
ignored
mantic
ignored
jammy
ignored
focal
dne
sshuttle
plucky
ignored
oracular
ignored
noble
ignored
mantic
ignored
jammy
ignored
focal
ignored
bionic
ignored
xenial
ignored
tinc
plucky
ignored
oracular
ignored
noble
ignored
mantic
ignored
jammy
ignored
focal
ignored
bionic
ignored
xenial
ignored
vpnc
plucky
ignored
oracular
ignored
noble
ignored
mantic
ignored
jammy
ignored
focal
ignored
bionic
ignored
xenial
ignored
wireguard
plucky
ignored
oracular
ignored
noble
ignored
mantic
ignored
jammy
ignored
focal
ignored
bionic
ignored
xenial
ignored
Common Weakness Enumeration
References
https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/
https://bst.cisco.com/quickview/bug/CSCwk05814
https://datatracker.ietf.org/doc/html/rfc2131#section-7
https://datatracker.ietf.org/doc/html/rfc3442#section-7
https://fortiguard.fortinet.com/psirt/FG-IR-24-170
https://issuetracker.google.com/issues/263721377
https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/
https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic
https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision
https://my.f5.com/manage/s/article/K000139553
https://news.ycombinator.com/item?id=40279632
https://news.ycombinator.com/item?id=40284111
https://security.paloaltonetworks.com/CVE-2024-3661
https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661
https://tunnelvisionbug.com/
https://www.agwa.name/blog/post/hardening_openvpn_for_def_con
https://www.leviathansecurity.com/research/tunnelvision
https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009
https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability
https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/
https://bst.cisco.com/quickview/bug/CSCwk05814
https://datatracker.ietf.org/doc/html/rfc2131#section-7
https://datatracker.ietf.org/doc/html/rfc3442#section-7
https://fortiguard.fortinet.com/psirt/FG-IR-24-170
https://issuetracker.google.com/issues/263721377
https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/
https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic
https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision
https://my.f5.com/manage/s/article/K000139553
https://news.ycombinator.com/item?id=40279632
https://news.ycombinator.com/item?id=40284111
https://security.paloaltonetworks.com/CVE-2024-3661
https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661
https://tunnelvisionbug.com/
https://www.agwa.name/blog/post/hardening_openvpn_for_def_con
https://www.leviathansecurity.com/research/tunnelvision
https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009
https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability