CVE-2024-3661

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-3661
DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.

7.6 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 4.7

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/ Press/Media Coverage
https://bst.cisco.com/quickview/bug/CSCwk05814 Vendor Advisory
https://datatracker.ietf.org/doc/html/rfc2131#section-7 Related
https://datatracker.ietf.org/doc/html/rfc3442#section-7 Related
https://fortiguard.fortinet.com/psirt/FG-IR-24-170 Vendor Advisory
https://issuetracker.google.com/issues/263721377 Issue Tracking
https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/ Press/Media Coverage
https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic Issue Tracking
https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision Third Party Advisory
https://my.f5.com/manage/s/article/K000139553 Vendor Advisory
https://news.ycombinator.com/item?id=40279632 Issue Tracking
https://news.ycombinator.com/item?id=40284111 Issue Tracking
https://security.paloaltonetworks.com/CVE-2024-3661 Vendor Advisory
https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661 Vendor Advisory
https://tunnelvisionbug.com/ Exploit Third Party Advisory
https://www.agwa.name/blog/post/hardening_openvpn_for_def_con Related
https://www.leviathansecurity.com/research/tunnelvision Third Party Advisory
https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/ Press/Media Coverage
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009 Mitigation Third Party Advisory
https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability Exploit Third Party Advisory
https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/ Exploit Press/Media Coverage
https://bst.cisco.com/quickview/bug/CSCwk05814 Third Party Advisory
https://datatracker.ietf.org/doc/html/rfc2131#section-7 Related
https://datatracker.ietf.org/doc/html/rfc3442#section-7 Related
https://fortiguard.fortinet.com/psirt/FG-IR-24-170 Vendor Advisory
https://issuetracker.google.com/issues/263721377 Issue Tracking
https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/ Exploit Press/Media Coverage
https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic Issue Tracking
https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision Third Party Advisory
https://my.f5.com/manage/s/article/K000139553 Vendor Advisory
https://news.ycombinator.com/item?id=40279632 Issue Tracking
https://news.ycombinator.com/item?id=40284111 Issue Tracking
https://security.paloaltonetworks.com/CVE-2024-3661 Vendor Advisory
https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661 Vendor Advisory
https://tunnelvisionbug.com/ Exploit Third Party Advisory
https://www.agwa.name/blog/post/hardening_openvpn_for_def_con Related
https://www.leviathansecurity.com/research/tunnelvision Third Party Advisory
https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/ Exploit Press/Media Coverage
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009 Mitigation Vendor Advisory
https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:linux:*:*
cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:macos:*:*
cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:windows:*:*
cpe:2.3:a:fortinet:forticlient:7.4.0:*:*:*:*:linux:*:*
cpe:2.3:a:fortinet:forticlient:7.4.0:*:*:*:*:macos:*:*
cpe:2.3:a:fortinet:forticlient:7.4.0:*:*:*:*:windows:*:*

Configuration 2 (hide)

OR cpe:2.3:a:cisco:anyconnect_vpn_client:-:*:*:*:*:*:*:*
cpe:2.3:a:cisco:secure_client:-:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:iphone_os:*:*
cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:linux:*:*
cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:macos:*:*
cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:windows:*:*

Configuration 4 (hide)

AND
cpe:2.3:a:citrix:secure_access_client:*:*:*:*:*:*:*:*
OR cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:a:citrix:secure_access_client:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*

Configuration 6 (hide)

OR cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*

Configuration 7 (hide)

OR cpe:2.3:a:watchguard:ipsec_mobile_vpn_client:*:*:*:*:*:macos:*:*
cpe:2.3:a:watchguard:ipsec_mobile_vpn_client:*:*:*:*:*:windows:*:*
cpe:2.3:a:watchguard:mobile_vpn_with_ssl:*:*:*:*:*:macos:*:*
cpe:2.3:a:watchguard:mobile_vpn_with_ssl:*:*:*:*:*:windows:*:*

Configuration 8 (hide)

OR cpe:2.3:a:zscaler:client_connector:*:*:*:*:*:linux:*:*
cpe:2.3:a:zscaler:client_connector:*:*:*:*:*:macos:*:*
cpe:2.3:a:zscaler:client_connector:*:*:*:*:*:linux:*:*
cpe:2.3:a:zscaler:client_connector:-:*:*:*:*:windows:*:*
History

15 Jan 2025, 16:50

Type Values Removed Values Added
First Time Cisco secure Client
Paloaltonetworks globalprotect
Cisco
Paloaltonetworks
Fortinet forticlient
Apple iphone Os
F5 big-ip Access Policy Manager
Apple
F5
Apple macos
Citrix secure Access Client
Watchguard
Cisco anyconnect Vpn Client
Watchguard mobile Vpn With Ssl
Fortinet
Watchguard ipsec Mobile Vpn Client
Linux
Linux linux Kernel
Zscaler client Connector
Citrix
Zscaler
References () https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/ - () https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/ - Exploit, Press/Media Coverage
References () https://bst.cisco.com/quickview/bug/CSCwk05814 - () https://bst.cisco.com/quickview/bug/CSCwk05814 - Third Party Advisory
References () https://datatracker.ietf.org/doc/html/rfc2131#section-7 - () https://datatracker.ietf.org/doc/html/rfc2131#section-7 - Related
References () https://datatracker.ietf.org/doc/html/rfc3442#section-7 - () https://datatracker.ietf.org/doc/html/rfc3442#section-7 - Related
References () https://fortiguard.fortinet.com/psirt/FG-IR-24-170 - () https://fortiguard.fortinet.com/psirt/FG-IR-24-170 - Vendor Advisory
References () https://issuetracker.google.com/issues/263721377 - () https://issuetracker.google.com/issues/263721377 - Issue Tracking
References () https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/ - () https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/ - Exploit, Press/Media Coverage
References () https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic - () https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic - Issue Tracking
References () https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision - () https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision - Third Party Advisory
References () https://my.f5.com/manage/s/article/K000139553 - () https://my.f5.com/manage/s/article/K000139553 - Vendor Advisory
References () https://news.ycombinator.com/item?id=40279632 - () https://news.ycombinator.com/item?id=40279632 - Issue Tracking
References () https://news.ycombinator.com/item?id=40284111 - () https://news.ycombinator.com/item?id=40284111 - Issue Tracking
References () https://security.paloaltonetworks.com/CVE-2024-3661 - () https://security.paloaltonetworks.com/CVE-2024-3661 - Vendor Advisory
References () https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661 - () https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661 - Vendor Advisory
References () https://tunnelvisionbug.com/ - () https://tunnelvisionbug.com/ - Exploit, Third Party Advisory
References () https://www.agwa.name/blog/post/hardening_openvpn_for_def_con - () https://www.agwa.name/blog/post/hardening_openvpn_for_def_con - Related
References () https://www.leviathansecurity.com/research/tunnelvision - () https://www.leviathansecurity.com/research/tunnelvision - Third Party Advisory
References () https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/ - () https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/ - Exploit, Press/Media Coverage
References () https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009 - () https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009 - Mitigation, Vendor Advisory
References () https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability - () https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability - Exploit, Vendor Advisory
CPE cpe:2.3:a:watchguard:ipsec_mobile_vpn_client:*:*:*:*:*:macos:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:forticlient:7.4.0:*:*:*:*:windows:*:*
cpe:2.3:a:fortinet:forticlient:7.4.0:*:*:*:*:macos:*:*
cpe:2.3:a:zscaler:client_connector:*:*:*:*:*:linux:*:*
cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:linux:*:*
cpe:2.3:a:zscaler:client_connector:*:*:*:*:*:macos:*:*
cpe:2.3:a:watchguard:mobile_vpn_with_ssl:*:*:*:*:*:macos:*:*
cpe:2.3:a:cisco:secure_client:-:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:forticlient:7.4.0:*:*:*:*:linux:*:*
cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:linux:*:*
cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*
cpe:2.3:a:cisco:anyconnect_vpn_client:-:*:*:*:*:*:*:*
cpe:2.3:a:citrix:secure_access_client:*:*:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:iphone_os:*:*
cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:macos:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:a:zscaler:client_connector:-:*:*:*:*:windows:*:*
cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:windows:*:*
cpe:2.3:a:watchguard:mobile_vpn_with_ssl:*:*:*:*:*:windows:*:*
cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:macos:*:*
cpe:2.3:a:watchguard:ipsec_mobile_vpn_client:*:*:*:*:*:windows:*:*
cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:windows:*:*

21 Nov 2024, 09:30

Type Values Removed Values Added
References () https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/ - () https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/ -
References () https://bst.cisco.com/quickview/bug/CSCwk05814 - () https://bst.cisco.com/quickview/bug/CSCwk05814 -
References () https://datatracker.ietf.org/doc/html/rfc2131#section-7 - () https://datatracker.ietf.org/doc/html/rfc2131#section-7 -
References () https://datatracker.ietf.org/doc/html/rfc3442#section-7 - () https://datatracker.ietf.org/doc/html/rfc3442#section-7 -
References () https://fortiguard.fortinet.com/psirt/FG-IR-24-170 - () https://fortiguard.fortinet.com/psirt/FG-IR-24-170 -
References () https://issuetracker.google.com/issues/263721377 - () https://issuetracker.google.com/issues/263721377 -
References () https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/ - () https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/ -
References () https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic - () https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic -
References () https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision - () https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision -
References () https://my.f5.com/manage/s/article/K000139553 - () https://my.f5.com/manage/s/article/K000139553 -
References () https://news.ycombinator.com/item?id=40279632 - () https://news.ycombinator.com/item?id=40279632 -
References () https://news.ycombinator.com/item?id=40284111 - () https://news.ycombinator.com/item?id=40284111 -
References () https://security.paloaltonetworks.com/CVE-2024-3661 - () https://security.paloaltonetworks.com/CVE-2024-3661 -
References () https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661 - () https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661 -
References () https://tunnelvisionbug.com/ - () https://tunnelvisionbug.com/ -
References () https://www.agwa.name/blog/post/hardening_openvpn_for_def_con - () https://www.agwa.name/blog/post/hardening_openvpn_for_def_con -
References () https://www.leviathansecurity.com/research/tunnelvision - () https://www.leviathansecurity.com/research/tunnelvision -
References () https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/ - () https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/ -
References () https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009 - () https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009 -
References () https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability - () https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability -

01 Jul 2024, 15:15

Type Values Removed Values Added
References
  • () https://bst.cisco.com/quickview/bug/CSCwk05814 -
  • () https://fortiguard.fortinet.com/psirt/FG-IR-24-170 -
  • () https://my.f5.com/manage/s/article/K000139553 -
  • () https://security.paloaltonetworks.com/CVE-2024-3661 -
  • () https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661 -
  • () https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009 -

08 May 2024, 22:15

Type Values Removed Values Added
References
  • () https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/ -

08 May 2024, 17:15

Type Values Removed Values Added
Summary (en) By design, the DHCP protocol does not authenticate messages, including for example the classless static route option (121). An attacker with the ability to send DHCP messages can manipulate routes to redirect VPN traffic, allowing the attacker to read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN. Many, if not most VPN systems based on IP routing are susceptible to such attacks. (en) DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.

07 May 2024, 19:15

Type Values Removed Values Added
References
  • () https://news.ycombinator.com/item?id=40284111 -
  • () https://www.agwa.name/blog/post/hardening_openvpn_for_def_con -

07 May 2024, 18:15

Type Values Removed Values Added
Summary
  • (es) Por diseño, el protocolo DHCP no autentica mensajes, incluida, por ejemplo, la opción de ruta estática sin clases (121). Un atacante con la capacidad de enviar mensajes DHCP puede manipular rutas para redirigir el tráfico VPN, lo que le permite leer, interrumpir o posiblemente modificar el tráfico de red que se esperaba que estuviera protegido por la VPN. Muchos, si no la mayoría, de los sistemas VPN basados en enrutamiento IP son susceptibles a este tipo de ataques.
References
  • () https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/ -
  • () https://issuetracker.google.com/issues/263721377 -
  • () https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/ -
  • () https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic -
  • () https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision -
  • () https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability -

07 May 2024, 06:15

Type Values Removed Values Added
References
  • () https://news.ycombinator.com/item?id=40279632 -

07 May 2024, 01:15

Type Values Removed Values Added
References
  • {'url': 'https://www.leviathansecurity.com/blog/tunnelvision', 'source': '9119a7d8-5eab-497f-8521-727c672e3725'}
  • () https://tunnelvisionbug.com/ -
  • () https://www.leviathansecurity.com/research/tunnelvision -
CVSS v2 : unknown
v3 : 8.8 		v2 : unknown
v3 : 7.6

06 May 2024, 19:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-05-06 19:15

Updated : 2025-01-15 16:50

NVD link : CVE-2024-3661

Mitre link : CVE-2024-3661

CVE.ORG link : CVE-2024-3661

JSON object : View

Products Affected

fortinet

  • forticlient

zscaler

  • client_connector

watchguard

  • mobile_vpn_with_ssl
  • ipsec_mobile_vpn_client

linux

  • linux_kernel

apple

  • macos
  • iphone_os

cisco

  • anyconnect_vpn_client
  • secure_client

citrix

  • secure_access_client

f5

  • big-ip_access_policy_manager

paloaltonetworks

  • globalprotect
CWE
CWE-306

Missing Authentication for Critical Function

CWE-501

Trust Boundary Violation