TunnelVision vulnerability (bypass VPN encapsulation)

Overview

CVE-2024-3661, also known as "TunnelVision," is a critical vulnerability that allows attackers to bypass VPN encapsulation and redirect traffic outside the VPN tunnel using DHCP option 121. This vulnerability can result in routing traffic without encryption through a VPN, ultimately exposing it to the internet via a side channel created by the attacker.

Details

The TunnelVision vulnerability exploits DHCP option 121, which is used to specify classless static routes for the client's routing table. An attacker can set up a rogue DHCP server that assigns malicious routing instructions to users' devices using option 121. When the devices renew their DHCP lease, they receive routing instructions prioritizing the attacker's server over the VPN tunnel. This causes the traffic to be routed without encryption through the VPN, eventually being redirected to the internet via the attacker's side channel.

Solution

1. Enable DHCP Snooping:

Implement DHCP snooping on LAN switches to prevent rogue DHCP servers and harmful DHCP traffic. DHCP snooping restricts network access to clients with specified IP and/or MAC addresses and includes ARP security for controlling ARP packets within the network.

2. Ignore DHCP Option 121:

Configure the VPN client to disregard DHCP option 121 during VPN activation to prevent unintended routing changes. Although this option typically adds classless static routes to the client's routing table, ignoring these routes might disrupt network connectivity. Therefore, proceed with caution and test thoroughly in a controlled environment before deploying widely.

Current Status

• ECS/EXT Ethernet Switches: Current models support DHCP snooping to prevent rogue DHCP servers.

• SecuPoint VPN Client (SSL VPN): This client does not support DHCP option 121, thus mitigating the risk from this specific vulnerability.

• Future Enhancements: ESG/ECW devices will include logging and detection capabilities for multiple DHCP servers to provide advanced protection.

Summary

EnGenius products are equipped to protect against the TunnelVision vulnerability. Implementing DHCP snooping and ignoring DHCP option 121 are effective measures to mitigate this risk. Stay updated with future device enhancements for additional security features.