In a blog post May 6, researchers at the Leviathan Security Group explained that because this technique exploits a DHCP flaw and does not depend on exploiting VPN technologies or underlying protocols, it works completely independently of the VPN provider or implementation.
The researchers explained that TunnelVision exploits CVE-2024-3661, a high-severity DHCP design flaw where messages such as the classless static route - Option 121 - are not authenticated, exposing them to manipulation.
Callie Guenther, senior manager of threat research at Critical Start and an SC Media columnist, explained that Option 121 lets network administrators define the routing directives that DHCP clients should use.
Guenther said because these DHCP routing directives are not authenticated, they are susceptible to manipulation by an attacker.
Craig Harber, security evangelist at Open Systems, added that by using Option 121 to route VPN traffic through the DHCP server, the attack diverts the data to the DHCP server itself.
This Cyber News was published on packetstormsecurity.com. Publication date: Thu, 09 May 2024 15:43:06 +0000