TunnelVision: No VPN service is safe anymore

[Father]

How DHCP manipulation allows hackers to intercept all encrypted traffic.

Researchers at Leviathan Security discovered a major security threat affecting virtually all Virtual Private Network (VPN) applications.

The attack, dubbed "TunnelVision" and identified as CVE-2024-3661 (CVSS: 7.6 out of 10), allows hackers to intercept and modify traffic that should be transmitted through a secure encrypted tunnel. This method puts at risk one of the key functions of a VPN-hiding the user's IP address and protecting their data from wiretapping.

The vulnerability lies in manipulation of the DHCP server, which distributes the IP addresses of devices connecting to the local network. Using a setting known as "option 121," an attacker can redirect VPN traffic through their server, allowing them to intercept the transmitted data.

Leviathan Security experts have confirmed that this approach allows them to set arbitrary routes in the user's routing table, bypassing the encrypted VPN tunnel. They even posted a video showing the attack.

The attack affects all operating systems (except Android, which does not use the "option 121"), presenting special risks for users connecting to networks over which they do not have administrative control. For example, an attacker with administrative rights inside the network can configure the DHCP server in such a way as to initiate such an attack.

The insidious nature of the attack lies in the fact that the VPN client will tell the user in any case that all data is transmitted over a secure connection, but in reality this will not be the case at all. In fact, any traffic redirected from a compromised tunnel will not be encrypted in any way, and will belong to the network that the user is actually connected to, and not the one specified by the VPN client.

At the moment, there is no complete solution to the problem. Some measures, such as setting up network firewalls, can help limit incoming and outgoing traffic, but they don't solve the problem completely. Alternative methods include using a VPN inside a VM or connecting via a mobile device access point.

The Leviathan Security study highlights the importance of choosing and using network technologies carefully, especially in public or untrusted networks. Users should be aware of the potential risks and never blindly trust VPN services and various anonymizers, as sometimes such trust can end extremely badly.

 

[Father]

Public attention is drawn to the TunnelVision attack method, which allows you to redirect VPN traffic to your host if you have access to a local network or control over a wireless network. This problem affects any VPN clients that do not use isolated namespaces of the network subsystem (network namespace) when routing traffic to the tunnel or do not set up packet filter rules when configuring the tunnel that prohibit routing VPN traffic through existing physical network interfaces.

The essence of the attack is that the attacker can start his own DHCP server and use it to transmit information to the client for changing routing. In particular, an attacker can use option 121 (RFC-3442) provided in the DHCP protocol, which is designed to transmit information about static routes, make changes to the routing table on the victim's machine,and direct traffic to bypass the VPN. Redirection is performed by setting a series of routes for subnets with the /1 prefix, which have a higher priority than the default route with the /0 prefix (0.0.0.0/0). Accordingly, traffic instead of the virtual network interface set for the VPN, will be directed through the physical network interface to the attacker's host in the local network.

The attack can be carried out on any operating system that supports the 121 DHCP options, including Linux, Windows, iOS and macOS, regardless of the VPN protocol used (Wireguard, OpenVPN, IPsec) and the cipher suite. The Android platform is not affected by the attack, as it does not process the 121 DHCP option. At the same time, the attack allows you to access traffic, but does not allow you to break in and determine the content transmitted using secure application-level protocols, such as TLS and SSH.For example, an attacker cannot determine the content of requests over HTTPS, but can understand which sites they are sent to.

To protect against an attack, you can use the packet filter level to prevent sending packets addressed to the VPN interface via other network interfaces; block DHCP packets with option 121; use a VPN inside a separate VM (or container) isolated from the external network, or use special tunnel configuration modes that use network namespace. A set of scripts has been published for experimenting with the attack.

It can be noted that the idea of local routing changes is not new and was previously commonly used in attacks aimed at spoofing the DNS server. In a similar attack, TunnelCrack, in which traffic was redirected via replacing the default gateway, the problem affected all verified VPN clients for iOS, 87.5% of VPN clients for macOS, 66.7% for Windows, 35.7% for Linux and 21.4% for Android. In the context of VPN and DHCP, the method was also mentioned earlier, for example, one of the reports at last year's USENIX 2023 conference was devoted to it (the study showed that 64.6% of the 195 tested VPN clients are susceptible to attack).

To substitute routes, it was also previously suggested to use a specially designed USB keychain that simulates the operation of a network adapter, which, when connected to a computer using DHCP, declares itself as a gateway. In addition, if the gateway is controlled (for example, when the victim connects to a wireless network controlled by the attacker), a technique has been developed to insert packets into the tunnel that are perceived in the context of the VPN network interface.

Data flows when using a VPN:

Post-attack data flows:

• Video: