CVE-2024-3661

EUVD-2024-32236
DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.6 HIGH
ADJACENT_NETWORK
LOW
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
cisa-cgCNA
7.6 HIGH
ADJACENT_NETWORK
LOW
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 84%
Affected Products (NVD)
VendorProductVersion
fortinetforticlient
6.4.0 ≤
𝑥
< 7.2.5
fortinetforticlient
6.4.0 ≤
𝑥
< 7.2.5
fortinetforticlient
6.4.0 ≤
𝑥
< 7.2.5
fortinetforticlient
7.4.0
fortinetforticlient
7.4.0
fortinetforticlient
7.4.0
ciscoanyconnect_vpn_client
-
ciscosecure_client
-
paloaltonetworksglobalprotect
*
paloaltonetworksglobalprotect
*
paloaltonetworksglobalprotect
*
citrixsecure_access_client
𝑥
< 24.06.1
citrixsecure_access_client
𝑥
< 24.8.5
f5big-ip_access_policy_manager
7.2.3 ≤
𝑥
≤ 7.2.5
f5big-ip_access_policy_manager
15.1.0 ≤
𝑥
≤ 15.1.10
f5big-ip_access_policy_manager
16.1.0 ≤
𝑥
≤ 16.1.5
f5big-ip_access_policy_manager
17.1.0 ≤
𝑥
≤ 17.1.2
watchguardipsec_mobile_vpn_client
*
watchguardipsec_mobile_vpn_client
*
watchguardmobile_vpn_with_ssl
*
watchguardmobile_vpn_with_ssl
*
zscalerclient_connector
𝑥
< 1.5.1.25
zscalerclient_connector
𝑥
< 4.2.0.282
zscalerclient_connector
3.7 ≤
𝑥
< 3.7.0.134
zscalerclient_connector
-
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
tinc
bionic
ignored
focal
ignored
jammy
ignored
mantic
ignored
noble
ignored
oracular
ignored
plucky
ignored
xenial
ignored
vpnc
bionic
ignored
focal
ignored
jammy
ignored
mantic
ignored
noble
ignored
oracular
ignored
plucky
ignored
xenial
ignored
connman
bionic
ignored
focal
ignored
jammy
ignored
mantic
ignored
noble
ignored
oracular
ignored
plucky
ignored
xenial
ignored
gadmin-openvpn-client
bionic
ignored
focal
ignored
jammy
dne
mantic
dne
noble
dne
oracular
dne
plucky
dne
xenial
ignored
gadmin-openvpn-server
bionic
ignored
focal
ignored
jammy
dne
mantic
dne
noble
dne
oracular
dne
plucky
dne
xenial
ignored
golang-github-apparentlymart-go-openvpn-mgmt
focal
ignored
jammy
ignored
mantic
ignored
noble
ignored
oracular
ignored
plucky
ignored
kvpnc
bionic
ignored
focal
dne
jammy
dne
mantic
dne
noble
dne
oracular
dne
plucky
dne
xenial
ignored
libreswan
bionic
ignored
focal
ignored
jammy
ignored
mantic
ignored
noble
ignored
oracular
ignored
plucky
ignored
mozillavpn
focal
dne
jammy
ignored
mantic
dne
noble
dne
oracular
dne
plucky
dne
n2n
bionic
ignored
focal
ignored
jammy
ignored
mantic
ignored
noble
ignored
oracular
ignored
plucky
ignored
xenial
ignored
network-manager-fortisslvpn
bionic
ignored
focal
ignored
jammy
ignored
mantic
ignored
noble
ignored
oracular
ignored
plucky
ignored
network-manager-iodine
bionic
ignored
focal
ignored
jammy
ignored
mantic
ignored
noble
ignored
oracular
ignored
plucky
ignored
xenial
ignored
network-manager-l2tp
bionic
ignored
focal
ignored
jammy
ignored
mantic
ignored
noble
ignored
oracular
ignored
plucky
ignored
network-manager-openconnect
bionic
ignored
focal
ignored
jammy
ignored
mantic
ignored
noble
ignored
oracular
ignored
plucky
ignored
xenial
ignored
network-manager-openvpn
bionic
ignored
focal
ignored
jammy
ignored
mantic
ignored
noble
ignored
oracular
ignored
plucky
ignored
xenial
ignored
network-manager-pptp
bionic
ignored
focal
ignored
jammy
ignored
mantic
ignored
noble
ignored
oracular
ignored
plucky
ignored
xenial
ignored
network-manager-sstp
focal
dne
jammy
ignored
mantic
ignored
noble
ignored
oracular
ignored
plucky
ignored
network-manager-strongswan
bionic
ignored
focal
ignored
jammy
ignored
mantic
ignored
noble
ignored
oracular
ignored
plucky
ignored
xenial
ignored
network-manager-vpnc
bionic
ignored
focal
ignored
jammy
ignored
mantic
ignored
noble
ignored
oracular
ignored
plucky
ignored
xenial
ignored
openconnect
bionic
ignored
focal
ignored
jammy
ignored
mantic
ignored
noble
ignored
oracular
ignored
plucky
ignored
xenial
ignored
openfortivpn
bionic
ignored
focal
ignored
jammy
ignored
mantic
ignored
noble
ignored
oracular
ignored
plucky
ignored
openvpn
bionic
ignored
focal
ignored
jammy
ignored
mantic
ignored
noble
ignored
oracular
ignored
plucky
ignored
trusty
ignored
xenial
ignored
pptp-linux
bionic
ignored
focal
ignored
jammy
ignored
mantic
ignored
noble
ignored
oracular
ignored
plucky
ignored
xenial
ignored
pptpd
bionic
ignored
focal
ignored
jammy
ignored
mantic
ignored
noble
dne
oracular
dne
plucky
dne
trusty
ignored
xenial
ignored
quicktun
bionic
ignored
focal
ignored
jammy
ignored
mantic
ignored
noble
ignored
oracular
ignored
plucky
ignored
riseup-vpn
focal
dne
jammy
dne
mantic
ignored
noble
ignored
oracular
ignored
plucky
ignored
softether-vpn
focal
dne
jammy
ignored
mantic
ignored
noble
ignored
oracular
ignored
plucky
ignored
sshuttle
bionic
ignored
focal
ignored
jammy
ignored
mantic
ignored
noble
ignored
oracular
ignored
plucky
ignored
xenial
ignored
wireguard
bionic
ignored
focal
ignored
jammy
ignored
mantic
ignored
noble
ignored
oracular
ignored
plucky
ignored
xenial
ignored
Common Weakness Enumeration
References
https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/
https://bst.cisco.com/quickview/bug/CSCwk05814
https://datatracker.ietf.org/doc/html/rfc2131#section-7
https://datatracker.ietf.org/doc/html/rfc3442#section-7
https://fortiguard.fortinet.com/psirt/FG-IR-24-170
https://issuetracker.google.com/issues/263721377
https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/
https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic
https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision
https://my.f5.com/manage/s/article/K000139553
https://news.ycombinator.com/item?id=40279632
https://news.ycombinator.com/item?id=40284111
https://security.paloaltonetworks.com/CVE-2024-3661
https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661
https://tunnelvisionbug.com/
https://www.agwa.name/blog/post/hardening_openvpn_for_def_con
https://www.leviathansecurity.com/research/tunnelvision
https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009
https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability
https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/
https://bst.cisco.com/quickview/bug/CSCwk05814
https://datatracker.ietf.org/doc/html/rfc2131#section-7
https://datatracker.ietf.org/doc/html/rfc3442#section-7
https://fortiguard.fortinet.com/psirt/FG-IR-24-170
https://issuetracker.google.com/issues/263721377
https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/
https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic
https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision
https://my.f5.com/manage/s/article/K000139553
https://news.ycombinator.com/item?id=40279632
https://news.ycombinator.com/item?id=40284111
https://security.paloaltonetworks.com/CVE-2024-3661
https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661
https://tunnelvisionbug.com/
https://www.agwa.name/blog/post/hardening_openvpn_for_def_con
https://www.leviathansecurity.com/research/tunnelvision
https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009
https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability