Vulnerability Details CVE-2024-3661
DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.008
EPSS Ranking 73.2%
CVSS Severity
CVSS v3 Score 7.6
References
- https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/
- https://bst.cisco.com/quickview/bug/CSCwk05814
- https://datatracker.ietf.org/doc/html/rfc2131#section-7
- https://datatracker.ietf.org/doc/html/rfc3442#section-7
- https://fortiguard.fortinet.com/psirt/FG-IR-24-170
- https://issuetracker.google.com/issues/263721377
- https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/
- https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic
- https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision
- https://my.f5.com/manage/s/article/K000139553
- https://news.ycombinator.com/item?id=40279632
- https://news.ycombinator.com/item?id=40284111
- https://security.paloaltonetworks.com/CVE-2024-3661
- https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661
- https://tunnelvisionbug.com/
- https://www.agwa.name/blog/post/hardening_openvpn_for_def_con
- https://www.leviathansecurity.com/research/tunnelvision
- https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009
- https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability
- https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/
- https://bst.cisco.com/quickview/bug/CSCwk05814
- https://datatracker.ietf.org/doc/html/rfc2131#section-7
- https://datatracker.ietf.org/doc/html/rfc3442#section-7
- https://fortiguard.fortinet.com/psirt/FG-IR-24-170
- https://issuetracker.google.com/issues/263721377
- https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/
- https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic
- https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision
- https://my.f5.com/manage/s/article/K000139553
- https://news.ycombinator.com/item?id=40279632
- https://news.ycombinator.com/item?id=40284111
- https://security.paloaltonetworks.com/CVE-2024-3661
- https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661
- https://tunnelvisionbug.com/
- https://www.agwa.name/blog/post/hardening_openvpn_for_def_con
- https://www.leviathansecurity.com/research/tunnelvision
- https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009
- https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability
Products affected by CVE-2024-3661
-
cpe:2.3:a:cisco:anyconnect_vpn_client:-
-
cpe:2.3:a:cisco:secure_client:-
-
cpe:2.3:a:citrix:secure_access_client:-
-
cpe:2.3:a:citrix:secure_access_client:23.5.1.3
-
cpe:2.3:a:f5:big-ip_access_policy_manager:15.1.0
-
cpe:2.3:a:f5:big-ip_access_policy_manager:15.1.0.1
-
cpe:2.3:a:f5:big-ip_access_policy_manager:15.1.0.2
-
cpe:2.3:a:f5:big-ip_access_policy_manager:15.1.0.3
-
cpe:2.3:a:f5:big-ip_access_policy_manager:15.1.0.4
-
cpe:2.3:a:f5:big-ip_access_policy_manager:15.1.0.5
-
cpe:2.3:a:f5:big-ip_access_policy_manager:15.1.1
-
cpe:2.3:a:f5:big-ip_access_policy_manager:15.1.10
-
cpe:2.3:a:f5:big-ip_access_policy_manager:15.1.2
-
cpe:2.3:a:f5:big-ip_access_policy_manager:15.1.2.1
-
cpe:2.3:a:f5:big-ip_access_policy_manager:15.1.3
-
cpe:2.3:a:f5:big-ip_access_policy_manager:15.1.4
-
cpe:2.3:a:f5:big-ip_access_policy_manager:15.1.4.1
-
cpe:2.3:a:f5:big-ip_access_policy_manager:15.1.5
-
cpe:2.3:a:f5:big-ip_access_policy_manager:15.1.5.1
-
cpe:2.3:a:f5:big-ip_access_policy_manager:15.1.6
-
cpe:2.3:a:f5:big-ip_access_policy_manager:15.1.7
-
cpe:2.3:a:f5:big-ip_access_policy_manager:15.1.8
-
cpe:2.3:a:f5:big-ip_access_policy_manager:15.1.8.1
-
cpe:2.3:a:f5:big-ip_access_policy_manager:15.1.8.2
-
cpe:2.3:a:f5:big-ip_access_policy_manager:15.1.9
-
cpe:2.3:a:f5:big-ip_access_policy_manager:15.1.9.1
-
cpe:2.3:a:f5:big-ip_access_policy_manager:16.1.0
-
cpe:2.3:a:f5:big-ip_access_policy_manager:16.1.1
-
cpe:2.3:a:f5:big-ip_access_policy_manager:16.1.2
-
cpe:2.3:a:f5:big-ip_access_policy_manager:16.1.2.2
-
cpe:2.3:a:f5:big-ip_access_policy_manager:16.1.3
-
cpe:2.3:a:f5:big-ip_access_policy_manager:16.1.3.1
-
cpe:2.3:a:f5:big-ip_access_policy_manager:16.1.3.3
-
cpe:2.3:a:f5:big-ip_access_policy_manager:16.1.3.4
-
cpe:2.3:a:f5:big-ip_access_policy_manager:16.1.3.5
-
cpe:2.3:a:f5:big-ip_access_policy_manager:16.1.4
-
cpe:2.3:a:f5:big-ip_access_policy_manager:16.1.4.1
-
cpe:2.3:a:f5:big-ip_access_policy_manager:16.1.5
-
cpe:2.3:a:f5:big-ip_access_policy_manager:17.1.0
-
cpe:2.3:a:f5:big-ip_access_policy_manager:17.1.0.1
-
cpe:2.3:a:f5:big-ip_access_policy_manager:17.1.0.2
-
cpe:2.3:a:f5:big-ip_access_policy_manager:17.1.0.3
-
cpe:2.3:a:f5:big-ip_access_policy_manager:17.1.1
-
cpe:2.3:a:f5:big-ip_access_policy_manager:17.1.2
-
cpe:2.3:a:f5:big-ip_access_policy_manager:7.2.3
-
cpe:2.3:a:f5:big-ip_access_policy_manager:7.2.4
-
cpe:2.3:a:f5:big-ip_access_policy_manager:7.2.4.1
-
cpe:2.3:a:f5:big-ip_access_policy_manager:7.2.4.4
-
cpe:2.3:a:f5:big-ip_access_policy_manager:7.2.5
-
cpe:2.3:a:fortinet:forticlient:6.4.0
-
cpe:2.3:a:fortinet:forticlient:6.4.1
-
cpe:2.3:a:fortinet:forticlient:6.4.10
-
cpe:2.3:a:fortinet:forticlient:6.4.2
-
cpe:2.3:a:fortinet:forticlient:6.4.3
-
cpe:2.3:a:fortinet:forticlient:6.4.4
-
cpe:2.3:a:fortinet:forticlient:6.4.5
-
cpe:2.3:a:fortinet:forticlient:6.4.6
-
cpe:2.3:a:fortinet:forticlient:6.4.7
-
cpe:2.3:a:fortinet:forticlient:6.4.8
-
cpe:2.3:a:fortinet:forticlient:6.4.9
-
cpe:2.3:a:fortinet:forticlient:7.0.0
-
cpe:2.3:a:fortinet:forticlient:7.0.1
-
cpe:2.3:a:fortinet:forticlient:7.0.10
-
cpe:2.3:a:fortinet:forticlient:7.0.11
-
cpe:2.3:a:fortinet:forticlient:7.0.12
-
cpe:2.3:a:fortinet:forticlient:7.0.13
-
cpe:2.3:a:fortinet:forticlient:7.0.2
-
cpe:2.3:a:fortinet:forticlient:7.0.3
-
cpe:2.3:a:fortinet:forticlient:7.0.4
-
cpe:2.3:a:fortinet:forticlient:7.0.5
-
cpe:2.3:a:fortinet:forticlient:7.0.6
-
cpe:2.3:a:fortinet:forticlient:7.0.7
-
cpe:2.3:a:fortinet:forticlient:7.0.8
-
cpe:2.3:a:fortinet:forticlient:7.0.9
-
cpe:2.3:a:fortinet:forticlient:7.2.0
-
cpe:2.3:a:fortinet:forticlient:7.2.1
-
cpe:2.3:a:fortinet:forticlient:7.2.2
-
cpe:2.3:a:fortinet:forticlient:7.2.3
-
cpe:2.3:a:fortinet:forticlient:7.2.4
-
cpe:2.3:a:fortinet:forticlient:7.4.0
-
cpe:2.3:a:paloaltonetworks:globalprotect:-
-
cpe:2.3:a:paloaltonetworks:globalprotect:4.1.0
-
cpe:2.3:a:paloaltonetworks:globalprotect:4.1.10
-
cpe:2.3:a:paloaltonetworks:globalprotect:4.1.12
-
cpe:2.3:a:paloaltonetworks:globalprotect:4.1.13
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.0
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.0.0
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.0.10
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.0.3
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.0.4
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.0.5
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.0.6
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.0.8
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.0.9
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.1
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.1.0
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.1.1
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.1.2
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.1.4
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.1.8
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.1.9
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.2
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.2.0
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.2.1
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.2.10
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.2.11
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.2.12
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.2.13
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.2.2
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.2.3
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.2.4
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.2.5
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.2.6
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.2.7
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.2.8
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.2.9
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.3
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.3.0
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.3.1
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.3.2
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.3.3
-
cpe:2.3:a:paloaltonetworks:globalprotect:5.3.4
-
cpe:2.3:a:paloaltonetworks:globalprotect:6.0.0
-
cpe:2.3:a:paloaltonetworks:globalprotect:6.0.1
-
cpe:2.3:a:paloaltonetworks:globalprotect:6.0.2
-
cpe:2.3:a:paloaltonetworks:globalprotect:6.0.3
-
cpe:2.3:a:paloaltonetworks:globalprotect:6.0.4
-
cpe:2.3:a:paloaltonetworks:globalprotect:6.0.5
-
cpe:2.3:a:paloaltonetworks:globalprotect:6.0.6
-
cpe:2.3:a:paloaltonetworks:globalprotect:6.1.0
-
cpe:2.3:a:paloaltonetworks:globalprotect:6.1.1
-
cpe:2.3:a:paloaltonetworks:globalprotect:6.1.5
-
cpe:2.3:a:paloaltonetworks:globalprotect:6.2.0
-
cpe:2.3:a:paloaltonetworks:globalprotect:6.2.4
-
cpe:2.3:a:paloaltonetworks:globalprotect:6.2.5
-
cpe:2.3:a:paloaltonetworks:globalprotect:6.3.0
-
cpe:2.3:a:paloaltonetworks:globalprotect:6.3.1
-
cpe:2.3:a:watchguard:ipsec_mobile_vpn_client:*
-
cpe:2.3:a:watchguard:mobile_vpn_with_ssl:*
-
cpe:2.3:a:zscaler:client_connector:-
-
cpe:2.3:a:zscaler:client_connector:1.3
-
cpe:2.3:a:zscaler:client_connector:1.3.0.31
-
cpe:2.3:a:zscaler:client_connector:1.3.1
-
cpe:2.3:a:zscaler:client_connector:1.3.1.6
-
cpe:2.3:a:zscaler:client_connector:1.4
-
cpe:2.3:a:zscaler:client_connector:1.4.0.105
-
cpe:2.3:a:zscaler:client_connector:1.4.0.58
-
cpe:2.3:a:zscaler:client_connector:3.6
-
cpe:2.3:a:zscaler:client_connector:3.7
-
cpe:2.3:a:zscaler:client_connector:3.7.0.182
-
cpe:2.3:a:zscaler:client_connector:3.7.0.183
-
cpe:2.3:a:zscaler:client_connector:3.7.1.42
-
cpe:2.3:a:zscaler:client_connector:3.7.1.48
-
cpe:2.3:a:zscaler:client_connector:3.7.1.49
-
cpe:2.3:a:zscaler:client_connector:3.9
-
cpe:2.3:a:zscaler:client_connector:3.9.0.81
-
cpe:2.3:a:zscaler:client_connector:3.9.0.90
-
cpe:2.3:a:zscaler:client_connector:3.9.0.95
-
cpe:2.3:a:zscaler:client_connector:4.1
-
cpe:2.3:a:zscaler:client_connector:4.2
-
cpe:2.3:o:apple:iphone_os:-
-
cpe:2.3:o:apple:macos:-
-
cpe:2.3:o:linux:linux_kernel:-