A new VPN bypass technique allows threat actors to snoop on victims’ traffic by forcing it off the VPN tunnel using built-in features of DHCP, penetration testing firm Leviathan Security Group warns.
Called TunnelVision and relying on manipulating route tables, the set of rules that computers use to decide which network traffic should be sent through, an attacker could use the technique without having to compromise the DHCP server.
The technique exploits CVE-2024-3661, a DHCP design flaw where messages such as the classless static route (option 121) are not authenticated, exposing them to manipulation.
“An attacker with the ability to send DHCP messages can manipulate routes to redirect VPN traffic, allowing the attacker to read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN,” a NIST advisory reads.
By exploiting the vulnerability, an attacker on the local network could redirect traffic to the local network instead of the VPN. Leviathan, which calls the bypass ‘decloaking’, has published full technical details on TunnelVision.
To mount an attack, a threat actor only needs to be on the same network as the victim, the penetration testing firm explains. However, successful decloaking is dependent on the targeted host accepting a DHCP lease from the attacker-controlled server, and for option 121 to be implemented by the host’s DHCP client.
According to Leviathan, an attacker could become the victim’s DHCP server by targeting the true DHCP server with a starvation attack, by racing to respond to broadcasts, and by performing ARP spoofing, thus intercepting traffic between the client and the true DHCP server.
“Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway. When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it,” Leviathan explains.
The security firm also notes that, while the attack is in progress, the victim is shown as still being connected to the VPN.
Because the security defect is not dependent on the VPN provider or implementation, most VPN systems based on IP routing are believed to be vulnerable to TunnelVision.
Leviathan believes that the vulnerability has existed in DHCP since 2002, when option 121 was introduced, and that the attack technique “could have already been discovered and potentially used in the wild”.
A possible mitigation that does not impact the privacy of VPN users would be for VPN providers to implement network namespaces on supporting operating systems (the feature is available on Linux systems), which could isolate interfaces and routing tables from the local network’s control.
Due to the broad implications of the vulnerability, Leviathan has reported it to the Electronic Frontier Foundation (EFF) and the US cybersecurity agency CISA, which helped notify over 50 vendors prior to the public disclosure.
Related: Research Shows How Attackers Can Abuse EDR Security Products
Related: SMTP Smuggling Allows Spoofed Emails to Bypass Authentication Protocols
Related: New ‘Pool Party’ Process Injection Techniques Undetected by EDR Solutions