描述
DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.
AI分析AI驱动
受影响产品
fortinetforticlient
fortinetforticlient
fortinetforticlient
fortinetforticlient
7.4.0
fortinetforticlient
7.4.0
fortinetforticlient
7.4.0
ciscoanyconnect_vpn_client
-
ciscosecure_client
-
paloaltonetworksglobalprotect
paloaltonetworksglobalprotect
paloaltonetworksglobalprotect
paloaltonetworksglobalprotect
citrixsecure_access_client
appleiphone_os
-
applemacos
-
citrixsecure_access_client
linuxlinux_kernel
-
f5big-ip_access_policy_manager
f5big-ip_access_policy_manager
f5big-ip_access_policy_manager
f5big-ip_access_policy_manager
watchguardipsec_mobile_vpn_client
watchguardipsec_mobile_vpn_client
watchguardmobile_vpn_with_ssl
watchguardmobile_vpn_with_ssl
zscalerclient_connector
zscalerclient_connector
zscalerclient_connector
zscalerclient_connector
-
参考资料
- https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/ExploitPress/Media Coverage
- https://bst.cisco.com/quickview/bug/CSCwk05814Third Party AdvisoryVendor Advisory
- https://datatracker.ietf.org/doc/html/rfc2131#section-7Related
- https://datatracker.ietf.org/doc/html/rfc3442#section-7Related
- https://fortiguard.fortinet.com/psirt/FG-IR-24-170Vendor Advisory
- https://issuetracker.google.com/issues/263721377Issue Tracking
- https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/ExploitPress/Media Coverage
- https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-trafficIssue Tracking
- https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvisionThird Party Advisory
- https://my.f5.com/manage/s/article/K000139553Vendor Advisory
- https://news.ycombinator.com/item?id=40279632Issue Tracking
- https://news.ycombinator.com/item?id=40284111Issue Tracking
- https://security.paloaltonetworks.com/CVE-2024-3661Vendor Advisory
- https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661Vendor Advisory
- https://tunnelvisionbug.com/ExploitThird Party Advisory
- https://www.agwa.name/blog/post/hardening_openvpn_for_def_conRelated
- https://www.leviathansecurity.com/research/tunnelvisionThird Party Advisory
- https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/ExploitPress/Media Coverage
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009MitigationThird Party AdvisoryVendor Advisory
- https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerabilityExploitThird Party AdvisoryVendor Advisory