Leviathan Security researchers recently identified a novel attack technique, dubbed TunnelVision, to bypass VPN encapsulation. A threat actor can use this technique to force a target user\u2019s traffic off their VPN tunnel using built-in features of DHCP (Dynamic Host Configuration Protocol). <\/p>\n\n\n\n
The technique causes the VPN to fail to encrypt certain packets, leaving the traffic vulnerable to snooping. The researchers referred to this result as “decloaking.” The experts pointed out that the VPN control channel remains active during the attack and users still appear connected to the VPN in all observed instances.<\/p>\n\n\n\n
The technique manipulates routing tables that used to send network traffic through the VPN tunnel.
TunnelVision exploits the vulnerability CVE-2024-3661, which is a DHCP design flaw where messages such as the classless static route (option 121) are not authenticated and for this reason can be manipulated by the attackers.<\/p>\n\n\n\n
Option 121 enables administrators to incorporate static routes into a client’s routing table using classless ranges. There is no restriction, aside from packet size, on the number of different routes that can be simultaneously installed.
A threat actor that can send DHCP messages can tamper with routes to reroute VPN traffic, enabling him to intercept, disrupt, or potentially manipulate network traffic.<\/p>\n\n\n\n
A local network attacker can exploit the technique to redirect traffic to the local network instead of the VPN tunnel. <\/p>\n\n\n\n
The attackers can decloak VPN traffic only if the targeted host accepts a DHCP lease from the attacker-controlled server and the targeted host\u2019s DHCP client implements DHCP option 121.
“We want to stress that there are ways an attacker who is on the same network as a targeted user might be able to become their DHCP server:<\/em><\/p>\n\n\n\n
\u201cOur technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway. When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it.\u201d <\/em>