TunnelVision Attack Exposes VPN Traffic to Hijacking via DHCP Manipulation

Researchers have uncovered a VPN bypass technique called TunnelVision that enables attackers to intercept and manipulate network traffic by simply being on the same local network as the victim. This technique, identified as CVE-2024-3661 with a CVSS score of 7.6, affects all operating systems that support DHCP option 121 routes.

TunnelVision works by exploiting a vulnerability in the DHCP protocol, which does not authenticate option messages. An attacker sets up a malicious DHCP server that uses the classless static route option 121 to manipulate the VPN user’s routing table, causing traffic to be routed without encryption through the attacker’s server.

DHCP, or Dynamic Host Configuration Protocol, automatically provides devices with an IP address and other network configuration details. This protocol uses a server to lease dynamic IP addresses from a pool, reassigning them as needed. The lack of authentication in DHCP option messages makes it possible for attackers to inject malicious routes, redirecting VPN traffic to their server.

Once the attacker has control over the routing, they can read, disrupt, or modify the network traffic that the VPN was supposed to protect. This method is independent of the VPN provider or implementation, relying solely on the manipulation of DHCP messages.

Researchers explained the process: “Our technique is to run a DHCP server on the same network as a targeted VPN user and configure it to act as a gateway. When traffic passes through our gateway, we forward it to a legitimate gateway while snooping on the data.”

For this attack to succeed, the targeted device must accept DHCP option 121 and a lease from the attacker’s server. The vulnerability affects major operating systems such as Windows, Linux, macOS, and iOS, but not Android, which does not support DHCP option 121. VPN tools that rely solely on routing rules are particularly vulnerable.

Similar to TunnelCrack, which leaks traffic outside a VPN tunnel on untrusted networks, TunnelVision exploits the same underlying principle of redirecting traffic through an attacker’s server.

Researchers describe the attack as employing a DHCP starvation technique to create a side-channel, using DHCP option 121 to route traffic without encryption through a VPN, ultimately sending it to the internet via the attacker’s channel.

To prevent TunnelVision attacks, organizations should implement DHCP snooping to filter out rogue DHCP messages and enable ARP (Address Resolution Protocol) protections and port security on network switches. Users also should ensure their devices are configured to reject unauthorized DHCP options and regularly update.