New TunnelVision technique can bypass the VPN encapsulation

Pierluigi Paganini May 08, 2024

TunnelVision is a new VPN bypass technique that enables threat actors to spy on users’ traffic bypassing the VPN encapsulation.

Leviathan Security researchers recently identified a novel attack technique, dubbed TunnelVision, to bypass VPN encapsulation. A threat actor can use this technique to force a target user’s traffic off their VPN tunnel using built-in features of DHCP (Dynamic Host Configuration Protocol).

The technique causes the VPN to fail to encrypt certain packets, leaving the traffic vulnerable to snooping. The researchers referred to this result as “decloaking.” The experts pointed out that the VPN control channel remains active during the attack and users still appear connected to the VPN in all observed instances.

The technique manipulates routing tables that used to send network traffic through the VPN tunnel.

TunnelVision exploits the vulnerability CVE-2024-3661, which is a DHCP design flaw where messages such as the classless static route (option 121) are not authenticated and for this reason can be manipulated by the attackers.

Option 121 enables administrators to incorporate static routes into a client’s routing table using classless ranges. There is no restriction, aside from packet size, on the number of different routes that can be simultaneously installed.

A threat actor that can send DHCP messages can tamper with routes to reroute VPN traffic, enabling him to intercept, disrupt, or potentially manipulate network traffic.

A local network attacker can exploit the technique to redirect traffic to the local network instead of the VPN tunnel.

The attackers can decloak VPN traffic only if the targeted host accepts a DHCP lease from the attacker-controlled server and the targeted host’s DHCP client implements DHCP option 121.

“We want to stress that there are ways an attacker who is on the same network as a targeted user might be able to become their DHCP server:

  • A rogue DHCP server using a DHCP starvation attack against the true DHCP, then responding to new clients. We have achieved this in lab environments and are working on a follow-up blog post.
  • A rogue DHCP server racing to respond to DHCPDISCOVER broadcasts to abuse DHCP clients’ common behavior where they implement first-offer lease selection. 
  • ARP spoofing to intercept traffic between the true DHCP server and client, then waiting for a client to renew their lease.” reads the report from Leviathan Security.

“Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway. When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it.”

The security firm also notes that, while the attack is in progress, the victim is shown as still being connected to the VPN.

The researchers explained that during the attack, the victim cannot notice any disconnection to the VPN, they also remarked that the flaw isn’t tied to a specific VPN provider or implementation.

The TunnelVision technique is effective against most IP routing-based VPN systems.

The researchers speculate that the vulnerability existed in DHCP since 2002, when option 121 was implemented. They believe the technique could have already been discovered and potentially used in the wild by threat actors.

To mitigate the issue VPN providers could implement network namespaces on supporting operating systems to isolate interfaces and routing tables from the local network’s control.

The experts provided other mitigations, including using Firewall Rules, Ignoring Option 121, using a Hot Spot or VM, and avoiding use untrusted networks.

Below is a video PoC of the attack published by the researchers:

“We have a limitation as a research team of two– there are simply too many VPNs on the market to test each one individually. The first approach we took was to notify companies via bug bounties or security disclosure email, but that quickly became unscalable. We’ve also engaged the EFF and CISA to help disclose as broadly as possible prior to publicly releasing this research. We thank them tremendously for their help.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, TunnelVision)

you might also like

leave a comment