Leviathan Security Group has issued a warning about a new VPN bypass technique called TunnelVision, which exploits a DHCP design flaw (CVE-2024-3661) to redirect VPN traffic off the tunnel and onto the local network. By manipulating route tables, attackers can force traffic through their own DHCP server, intercepting and potentially modifying it. This technique, termed ‘decloaking,’ requires the attacker to be on the same network as the victim and relies on the victim’s DHCP client implementing option 121. Leviathan outlines the attack process, including becoming the victim’s DHCP server through various means. Most VPN systems based on IP routing are susceptible to TunnelVision, with the vulnerability present in DHCP since 2002. Leviathan has notified relevant agencies and over 50 vendors about the issue and suggests mitigations like implementing network namespaces to isolate interfaces and routing tables from local network control.

Read more: https://www.securityweek.com/new-tunnelvision-technique-leaks-traffic-from-any-vpn-system/