GHSA-HQMP-G7PH-X543
Vulnerability from github – Published: 2024-12-27 18:12 – Updated: 2025-05-19 20:43A new decloaking technique for nearly all VPN implementations has been found, which allows attackers to inject entries into the routing tables of unsuspecting victims using DHCP option 121. This allows attackers to redirect traffic, which is supposed to be sent encrypted over the VPN, through the physical interface handling DHCP for the network the victim's computer is connected to, effectively bypassing the VPN connection.
Impact
All users are potentially affected, as this attack vector can be used against any VPN implementation without mitigations in place.
Patches
Currently, there are no existing mitigations employed by Quincy.
Workarounds
Disabling DHCP option 121 in the DHCP client is a potential workaround, as it prevents this kind of attack.
References
https://www.leviathansecurity.com/blog/tunnelvision
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "quincy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.13.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-200"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-27T18:12:47Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "A new decloaking technique for nearly all VPN implementations has been found, which allows attackers to inject entries into the routing tables of unsuspecting victims using DHCP option 121. This allows attackers to redirect traffic, which is supposed to be sent encrypted over the VPN, through the physical interface handling DHCP for the network the victim\u0027s computer is connected to, effectively bypassing the VPN connection.\n\n### Impact\nAll users are potentially affected, as this attack vector can be used against _any_ VPN implementation without mitigations in place.\n\n### Patches\nCurrently, there are no existing mitigations employed by Quincy.\n\n### Workarounds\nDisabling DHCP option 121 in the DHCP client is a potential workaround, as it prevents this kind of attack.\n\n### References\nhttps://www.leviathansecurity.com/blog/tunnelvision",
"id": "GHSA-hqmp-g7ph-x543",
"modified": "2025-05-19T20:43:55Z",
"published": "2024-12-27T18:12:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/M0dEx/quincy/security/advisories/GHSA-hqmp-g7ph-x543"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3661"
},
{
"type": "PACKAGE",
"url": "https://github.com/M0dEx/quincy"
},
{
"type": "WEB",
"url": "https://www.leviathansecurity.com/blog/tunnelvision"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "TunnelVision - decloaking VPNs using DHCP"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.