Search criteria
2 vulnerabilities found for DHCP by IETF
CVE-2024-3661 (GCVE-0-2024-3661)
Vulnerability from cvelistv5 – Published: 2024-05-06 18:31 – Updated: 2024-08-28 19:09
VLAI?
Summary
DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.
Severity ?
7.6 (High)
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:20:00.420Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://datatracker.ietf.org/doc/html/rfc2131#section-7"
},
{
"tags": [
"x_transferred"
],
"url": "https://datatracker.ietf.org/doc/html/rfc3442#section-7"
},
{
"tags": [
"x_transferred"
],
"url": "https://tunnelvisionbug.com/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.leviathansecurity.com/research/tunnelvision"
},
{
"tags": [
"x_transferred"
],
"url": "https://news.ycombinator.com/item?id=40279632"
},
{
"tags": [
"x_transferred"
],
"url": "https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/"
},
{
"tags": [
"x_transferred"
],
"url": "https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/"
},
{
"tags": [
"x_transferred"
],
"url": "https://issuetracker.google.com/issues/263721377"
},
{
"tags": [
"x_transferred"
],
"url": "https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability"
},
{
"tags": [
"x_transferred"
],
"url": "https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic"
},
{
"tags": [
"x_transferred"
],
"url": "https://news.ycombinator.com/item?id=40284111"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.agwa.name/blog/post/hardening_openvpn_for_def_con"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009"
},
{
"tags": [
"x_transferred"
],
"url": "https://bst.cisco.com/quickview/bug/CSCwk05814"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.paloaltonetworks.com/CVE-2024-3661"
},
{
"tags": [
"x_transferred"
],
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-170"
},
{
"tags": [
"x_transferred"
],
"url": "https://my.f5.com/manage/s/article/K000139553"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3661",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-08T04:00:07.962328Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T19:09:06.995Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "DHCP",
"vendor": "IETF",
"versions": [
{
"status": "affected",
"version": "0"
}
]
}
],
"datePublic": "2002-12-31T01:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "DHCP can add routes to a client\u2019s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN."
}
],
"value": "DHCP can add routes to a client\u2019s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-501",
"description": "CWE-501 Trust Boundary Violation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-01T15:04:50.790Z",
"orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"shortName": "cisa-cg"
},
"references": [
{
"url": "https://datatracker.ietf.org/doc/html/rfc2131#section-7"
},
{
"url": "https://datatracker.ietf.org/doc/html/rfc3442#section-7"
},
{
"url": "https://tunnelvisionbug.com/"
},
{
"url": "https://www.leviathansecurity.com/research/tunnelvision"
},
{
"url": "https://news.ycombinator.com/item?id=40279632"
},
{
"url": "https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/"
},
{
"url": "https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/"
},
{
"url": "https://issuetracker.google.com/issues/263721377"
},
{
"url": "https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision"
},
{
"url": "https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability"
},
{
"url": "https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic"
},
{
"url": "https://news.ycombinator.com/item?id=40284111"
},
{
"url": "https://www.agwa.name/blog/post/hardening_openvpn_for_def_con"
},
{
"url": "https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/"
},
{
"url": "https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661"
},
{
"url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009"
},
{
"url": "https://bst.cisco.com/quickview/bug/CSCwk05814"
},
{
"url": "https://security.paloaltonetworks.com/CVE-2024-3661"
},
{
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-170"
},
{
"url": "https://my.f5.com/manage/s/article/K000139553"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "DHCP routing options can manipulate interface-based VPN traffic",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"assignerShortName": "cisa-cg",
"cveId": "CVE-2024-3661",
"datePublished": "2024-05-06T18:31:21.217Z",
"dateReserved": "2024-04-11T17:24:22.637Z",
"dateUpdated": "2024-08-28T19:09:06.995Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3661 (GCVE-0-2024-3661)
Vulnerability from nvd – Published: 2024-05-06 18:31 – Updated: 2024-08-28 19:09
VLAI?
Summary
DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.
Severity ?
7.6 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:20:00.420Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://datatracker.ietf.org/doc/html/rfc2131#section-7"
},
{
"tags": [
"x_transferred"
],
"url": "https://datatracker.ietf.org/doc/html/rfc3442#section-7"
},
{
"tags": [
"x_transferred"
],
"url": "https://tunnelvisionbug.com/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.leviathansecurity.com/research/tunnelvision"
},
{
"tags": [
"x_transferred"
],
"url": "https://news.ycombinator.com/item?id=40279632"
},
{
"tags": [
"x_transferred"
],
"url": "https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/"
},
{
"tags": [
"x_transferred"
],
"url": "https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/"
},
{
"tags": [
"x_transferred"
],
"url": "https://issuetracker.google.com/issues/263721377"
},
{
"tags": [
"x_transferred"
],
"url": "https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability"
},
{
"tags": [
"x_transferred"
],
"url": "https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic"
},
{
"tags": [
"x_transferred"
],
"url": "https://news.ycombinator.com/item?id=40284111"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.agwa.name/blog/post/hardening_openvpn_for_def_con"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009"
},
{
"tags": [
"x_transferred"
],
"url": "https://bst.cisco.com/quickview/bug/CSCwk05814"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.paloaltonetworks.com/CVE-2024-3661"
},
{
"tags": [
"x_transferred"
],
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-170"
},
{
"tags": [
"x_transferred"
],
"url": "https://my.f5.com/manage/s/article/K000139553"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3661",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-08T04:00:07.962328Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T19:09:06.995Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "DHCP",
"vendor": "IETF",
"versions": [
{
"status": "affected",
"version": "0"
}
]
}
],
"datePublic": "2002-12-31T01:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "DHCP can add routes to a client\u2019s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN."
}
],
"value": "DHCP can add routes to a client\u2019s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-501",
"description": "CWE-501 Trust Boundary Violation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-01T15:04:50.790Z",
"orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"shortName": "cisa-cg"
},
"references": [
{
"url": "https://datatracker.ietf.org/doc/html/rfc2131#section-7"
},
{
"url": "https://datatracker.ietf.org/doc/html/rfc3442#section-7"
},
{
"url": "https://tunnelvisionbug.com/"
},
{
"url": "https://www.leviathansecurity.com/research/tunnelvision"
},
{
"url": "https://news.ycombinator.com/item?id=40279632"
},
{
"url": "https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/"
},
{
"url": "https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/"
},
{
"url": "https://issuetracker.google.com/issues/263721377"
},
{
"url": "https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision"
},
{
"url": "https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability"
},
{
"url": "https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic"
},
{
"url": "https://news.ycombinator.com/item?id=40284111"
},
{
"url": "https://www.agwa.name/blog/post/hardening_openvpn_for_def_con"
},
{
"url": "https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/"
},
{
"url": "https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661"
},
{
"url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009"
},
{
"url": "https://bst.cisco.com/quickview/bug/CSCwk05814"
},
{
"url": "https://security.paloaltonetworks.com/CVE-2024-3661"
},
{
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-170"
},
{
"url": "https://my.f5.com/manage/s/article/K000139553"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "DHCP routing options can manipulate interface-based VPN traffic",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"assignerShortName": "cisa-cg",
"cveId": "CVE-2024-3661",
"datePublished": "2024-05-06T18:31:21.217Z",
"dateReserved": "2024-04-11T17:24:22.637Z",
"dateUpdated": "2024-08-28T19:09:06.995Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}