CVE-2024-3661
Published: 6 May 2024
DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.
Notes
Author | Note |
---|---|
rodrigo-zaiden | other VPN softwares may be affected. as of 2024-05-08, there isn't vpn providers reports |
mdeslaur | This issue is actually in the way DHCP clients handle the route option. There is no clear solution to this issue as of 2024-05-14, marking all packages are deferred for now. |
Priority
Status
Package | Release | Status |
---|---|---|
connman Launchpad, Ubuntu, Debian |
bionic |
Deferred
|
focal |
Deferred
|
|
jammy |
Deferred
|
|
mantic |
Deferred
|
|
noble |
Deferred
|
|
upstream |
Needs triage
|
|
xenial |
Deferred
|
|
gadmin-openvpn-client Launchpad, Ubuntu, Debian |
bionic |
Deferred
|
focal |
Deferred
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Deferred
|
|
gadmin-openvpn-server Launchpad, Ubuntu, Debian |
bionic |
Deferred
|
focal |
Deferred
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Deferred
|
|
golang-github-apparentlymart-go-openvpn-mgmt Launchpad, Ubuntu, Debian |
focal |
Deferred
|
jammy |
Deferred
|
|
mantic |
Deferred
|
|
noble |
Deferred
|
|
upstream |
Needs triage
|
|
kvpnc Launchpad, Ubuntu, Debian |
bionic |
Deferred
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Deferred
|
|
libreswan Launchpad, Ubuntu, Debian |
bionic |
Deferred
|
focal |
Deferred
|
|
jammy |
Deferred
|
|
mantic |
Deferred
|
|
noble |
Deferred
|
|
upstream |
Needs triage
|
|
mozillavpn Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Deferred
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Needs triage
|
|
n2n Launchpad, Ubuntu, Debian |
bionic |
Deferred
|
focal |
Deferred
|
|
jammy |
Deferred
|
|
mantic |
Deferred
|
|
noble |
Deferred
|
|
upstream |
Needs triage
|
|
xenial |
Deferred
|
|
network-manager-fortisslvpn Launchpad, Ubuntu, Debian |
bionic |
Deferred
|
focal |
Deferred
|
|
jammy |
Deferred
|
|
mantic |
Deferred
|
|
noble |
Deferred
|
|
upstream |
Needs triage
|
|
network-manager-iodine Launchpad, Ubuntu, Debian |
bionic |
Deferred
|
focal |
Deferred
|
|
jammy |
Deferred
|
|
mantic |
Deferred
|
|
noble |
Deferred
|
|
upstream |
Needs triage
|
|
xenial |
Deferred
|
|
network-manager-l2tp Launchpad, Ubuntu, Debian |
bionic |
Deferred
|
focal |
Deferred
|
|
jammy |
Deferred
|
|
mantic |
Deferred
|
|
noble |
Deferred
|
|
upstream |
Needs triage
|
|
network-manager-openconnect Launchpad, Ubuntu, Debian |
bionic |
Deferred
|
focal |
Deferred
|
|
jammy |
Deferred
|
|
mantic |
Deferred
|
|
noble |
Deferred
|
|
upstream |
Needs triage
|
|
xenial |
Deferred
|
|
network-manager-openvpn Launchpad, Ubuntu, Debian |
bionic |
Deferred
|
focal |
Deferred
|
|
jammy |
Deferred
|
|
mantic |
Deferred
|
|
noble |
Deferred
|
|
upstream |
Needs triage
|
|
xenial |
Deferred
|
|
network-manager-pptp Launchpad, Ubuntu, Debian |
bionic |
Deferred
|
focal |
Deferred
|
|
jammy |
Deferred
|
|
mantic |
Deferred
|
|
noble |
Deferred
|
|
upstream |
Needs triage
|
|
xenial |
Deferred
|
|
network-manager-sstp Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Deferred
|
|
mantic |
Deferred
|
|
noble |
Deferred
|
|
upstream |
Does not exist
|
|
network-manager-strongswan Launchpad, Ubuntu, Debian |
bionic |
Deferred
|
focal |
Deferred
|
|
jammy |
Deferred
|
|
mantic |
Deferred
|
|
noble |
Deferred
|
|
upstream |
Needs triage
|
|
xenial |
Deferred
|
|
network-manager-vpnc Launchpad, Ubuntu, Debian |
bionic |
Deferred
|
focal |
Deferred
|
|
jammy |
Deferred
|
|
mantic |
Deferred
|
|
noble |
Deferred
|
|
upstream |
Needs triage
|
|
xenial |
Deferred
|
|
openconnect Launchpad, Ubuntu, Debian |
bionic |
Deferred
|
focal |
Deferred
|
|
jammy |
Deferred
|
|
mantic |
Deferred
|
|
noble |
Deferred
|
|
upstream |
Needs triage
|
|
xenial |
Deferred
|
|
openfortivpn Launchpad, Ubuntu, Debian |
bionic |
Deferred
|
focal |
Deferred
|
|
jammy |
Deferred
|
|
mantic |
Deferred
|
|
noble |
Deferred
|
|
upstream |
Needs triage
|
|
openvpn Launchpad, Ubuntu, Debian |
bionic |
Deferred
|
focal |
Deferred
|
|
jammy |
Deferred
|
|
mantic |
Deferred
|
|
noble |
Deferred
|
|
trusty |
Deferred
|
|
upstream |
Needs triage
|
|
xenial |
Deferred
|
|
pptp-linux Launchpad, Ubuntu, Debian |
bionic |
Deferred
|
focal |
Deferred
|
|
jammy |
Deferred
|
|
mantic |
Deferred
|
|
noble |
Deferred
|
|
upstream |
Needs triage
|
|
xenial |
Deferred
|
|
pptpd Launchpad, Ubuntu, Debian |
bionic |
Deferred
|
focal |
Deferred
|
|
jammy |
Deferred
|
|
mantic |
Deferred
|
|
noble |
Does not exist
|
|
trusty |
Deferred
|
|
upstream |
Needs triage
|
|
xenial |
Deferred
|
|
quicktun Launchpad, Ubuntu, Debian |
bionic |
Deferred
|
focal |
Deferred
|
|
jammy |
Deferred
|
|
mantic |
Deferred
|
|
noble |
Deferred
|
|
upstream |
Needs triage
|
|
riseup-vpn Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Does not exist
|
|
mantic |
Deferred
|
|
noble |
Deferred
|
|
upstream |
Needs triage
|
|
softether-vpn Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Deferred
|
|
mantic |
Deferred
|
|
noble |
Deferred
|
|
upstream |
Needs triage
|
|
sshuttle Launchpad, Ubuntu, Debian |
bionic |
Deferred
|
focal |
Deferred
|
|
jammy |
Deferred
|
|
mantic |
Deferred
|
|
noble |
Deferred
|
|
upstream |
Needs triage
|
|
xenial |
Deferred
|
|
tinc Launchpad, Ubuntu, Debian |
bionic |
Deferred
|
focal |
Deferred
|
|
jammy |
Deferred
|
|
mantic |
Deferred
|
|
noble |
Deferred
|
|
upstream |
Needs triage
|
|
xenial |
Deferred
|
|
vpnc Launchpad, Ubuntu, Debian |
bionic |
Deferred
|
focal |
Deferred
|
|
jammy |
Deferred
|
|
mantic |
Deferred
|
|
noble |
Deferred
|
|
upstream |
Needs triage
|
|
xenial |
Deferred
|
|
wireguard Launchpad, Ubuntu, Debian |
bionic |
Deferred
|
focal |
Deferred
|
|
jammy |
Deferred
|
|
mantic |
Deferred
|
|
noble |
Deferred
|
|
upstream |
Needs triage
|
|
xenial |
Deferred
|
References
- https://www.cve.org/CVERecord?id=CVE-2024-3661
- https://datatracker.ietf.org/doc/html/rfc2131#section-7
- https://datatracker.ietf.org/doc/html/rfc3442#section-7
- https://tunnelvisionbug.com/
- https://www.leviathansecurity.com/research/tunnelvision
- https://news.ycombinator.com/item?id=40279632
- https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/
- https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/
- https://issuetracker.google.com/issues/263721377
- https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision
- https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability
- https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic
- https://news.ycombinator.com/item?id=40284111
- https://www.agwa.name/blog/post/hardening_openvpn_for_def_con
- NVD
- Launchpad
- Debian