cve-2024-3661
Vulnerability from cvelistv5
Published
2024-05-06 18:31
Modified
2024-08-28 19:09
Severity ?
7.6 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Summary
DHCP routing options can manipulate interface-based VPN traffic
References
9119a7d8-5eab-497f-8521-727c672e3725https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/
9119a7d8-5eab-497f-8521-727c672e3725https://bst.cisco.com/quickview/bug/CSCwk05814
9119a7d8-5eab-497f-8521-727c672e3725https://datatracker.ietf.org/doc/html/rfc2131#section-7
9119a7d8-5eab-497f-8521-727c672e3725https://datatracker.ietf.org/doc/html/rfc3442#section-7
9119a7d8-5eab-497f-8521-727c672e3725https://fortiguard.fortinet.com/psirt/FG-IR-24-170
9119a7d8-5eab-497f-8521-727c672e3725https://issuetracker.google.com/issues/263721377
9119a7d8-5eab-497f-8521-727c672e3725https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/
9119a7d8-5eab-497f-8521-727c672e3725https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic
9119a7d8-5eab-497f-8521-727c672e3725https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision
9119a7d8-5eab-497f-8521-727c672e3725https://my.f5.com/manage/s/article/K000139553
9119a7d8-5eab-497f-8521-727c672e3725https://news.ycombinator.com/item?id=40279632
9119a7d8-5eab-497f-8521-727c672e3725https://news.ycombinator.com/item?id=40284111
9119a7d8-5eab-497f-8521-727c672e3725https://security.paloaltonetworks.com/CVE-2024-3661
9119a7d8-5eab-497f-8521-727c672e3725https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661
9119a7d8-5eab-497f-8521-727c672e3725https://tunnelvisionbug.com/
9119a7d8-5eab-497f-8521-727c672e3725https://www.agwa.name/blog/post/hardening_openvpn_for_def_con
9119a7d8-5eab-497f-8521-727c672e3725https://www.leviathansecurity.com/research/tunnelvision
9119a7d8-5eab-497f-8521-727c672e3725https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/
9119a7d8-5eab-497f-8521-727c672e3725https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009
9119a7d8-5eab-497f-8521-727c672e3725https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability
Impacted products
IETFDHCP
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T20:20:00.420Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://datatracker.ietf.org/doc/html/rfc2131#section-7"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://datatracker.ietf.org/doc/html/rfc3442#section-7"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://tunnelvisionbug.com/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.leviathansecurity.com/research/tunnelvision"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://news.ycombinator.com/item?id=40279632"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://issuetracker.google.com/issues/263721377"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://news.ycombinator.com/item?id=40284111"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.agwa.name/blog/post/hardening_openvpn_for_def_con"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bst.cisco.com/quickview/bug/CSCwk05814"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.paloaltonetworks.com/CVE-2024-3661"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-170"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://my.f5.com/manage/s/article/K000139553"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-3661",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-08T04:00:07.962328Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-28T19:09:06.995Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "DHCP",
          "vendor": "IETF",
          "versions": [
            {
              "status": "affected",
              "version": "0"
            }
          ]
        }
      ],
      "datePublic": "2002-12-31T01:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "DHCP can add routes to a client\u2019s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN."
            }
          ],
          "value": "DHCP can add routes to a client\u2019s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306 Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-501",
              "description": "CWE-501 Trust Boundary Violation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-01T15:04:50.790Z",
        "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "shortName": "cisa-cg"
      },
      "references": [
        {
          "url": "https://datatracker.ietf.org/doc/html/rfc2131#section-7"
        },
        {
          "url": "https://datatracker.ietf.org/doc/html/rfc3442#section-7"
        },
        {
          "url": "https://tunnelvisionbug.com/"
        },
        {
          "url": "https://www.leviathansecurity.com/research/tunnelvision"
        },
        {
          "url": "https://news.ycombinator.com/item?id=40279632"
        },
        {
          "url": "https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/"
        },
        {
          "url": "https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/"
        },
        {
          "url": "https://issuetracker.google.com/issues/263721377"
        },
        {
          "url": "https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision"
        },
        {
          "url": "https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability"
        },
        {
          "url": "https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic"
        },
        {
          "url": "https://news.ycombinator.com/item?id=40284111"
        },
        {
          "url": "https://www.agwa.name/blog/post/hardening_openvpn_for_def_con"
        },
        {
          "url": "https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/"
        },
        {
          "url": "https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661"
        },
        {
          "url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009"
        },
        {
          "url": "https://bst.cisco.com/quickview/bug/CSCwk05814"
        },
        {
          "url": "https://security.paloaltonetworks.com/CVE-2024-3661"
        },
        {
          "url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-170"
        },
        {
          "url": "https://my.f5.com/manage/s/article/K000139553"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "DHCP routing options can manipulate interface-based VPN traffic",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
    "assignerShortName": "cisa-cg",
    "cveId": "CVE-2024-3661",
    "datePublished": "2024-05-06T18:31:21.217Z",
    "dateReserved": "2024-04-11T17:24:22.637Z",
    "dateUpdated": "2024-08-28T19:09:06.995Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-3661\",\"sourceIdentifier\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"published\":\"2024-05-06T19:15:11.027\",\"lastModified\":\"2024-07-01T15:15:17.187\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"DHCP can add routes to a client\u2019s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.\"},{\"lang\":\"es\",\"value\":\"Por dise\u00f1o, el protocolo DHCP no autentica mensajes, incluida, por ejemplo, la opci\u00f3n de ruta est\u00e1tica sin clases (121). Un atacante con la capacidad de enviar mensajes DHCP puede manipular rutas para redirigir el tr\u00e1fico VPN, lo que le permite leer, interrumpir o posiblemente modificar el tr\u00e1fico de red que se esperaba que estuviera protegido por la VPN. Muchos, si no la mayor\u00eda, de los sistemas VPN basados en enrutamiento IP son susceptibles a este tipo de ataques.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\",\"baseScore\":7.6,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":4.7}]},\"weaknesses\":[{\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"},{\"lang\":\"en\",\"value\":\"CWE-501\"}]}],\"references\":[{\"url\":\"https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\"},{\"url\":\"https://bst.cisco.com/quickview/bug/CSCwk05814\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\"},{\"url\":\"https://datatracker.ietf.org/doc/html/rfc2131#section-7\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\"},{\"url\":\"https://datatracker.ietf.org/doc/html/rfc3442#section-7\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\"},{\"url\":\"https://fortiguard.fortinet.com/psirt/FG-IR-24-170\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\"},{\"url\":\"https://issuetracker.google.com/issues/263721377\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\"},{\"url\":\"https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\"},{\"url\":\"https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\"},{\"url\":\"https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\"},{\"url\":\"https://my.f5.com/manage/s/article/K000139553\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\"},{\"url\":\"https://news.ycombinator.com/item?id=40279632\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\"},{\"url\":\"https://news.ycombinator.com/item?id=40284111\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\"},{\"url\":\"https://security.paloaltonetworks.com/CVE-2024-3661\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\"},{\"url\":\"https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\"},{\"url\":\"https://tunnelvisionbug.com/\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\"},{\"url\":\"https://www.agwa.name/blog/post/hardening_openvpn_for_def_con\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\"},{\"url\":\"https://www.leviathansecurity.com/research/tunnelvision\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\"},{\"url\":\"https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\"},{\"url\":\"https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\"},{\"url\":\"https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.