Security News > 2024 > May > New attack leaks VPN traffic using rogue DHCP servers
A new attack dubbed "TunnelVision" can route traffic outside a VPN's encryption tunnel, allowing attackers to snoop on unencrypted traffic while maintaining the appearance of a secure VPN connection.
The attackers set up a rogue DHCP server that alters the routing tables so that all VPN traffic is sent straight to the local network or a malicious gateway, never entering the encrypted VPN tunnel.
"Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway," reads the report.
Use network namespaces on Linux to isolate network interfaces and routing tables from the rest of the system, preventing rogue DHCP configurations from affecting VPN traffic.
Configure VPN clients to deny all inbound and outbound traffic that does not use the VPN interface.
As for VPN providers, they are encouraged to enhance their client software to implement their own DHCP handlers or integrate additional security checks that would block applying risky DHCP configurations.
News URL
Related news
- New NachoVPN attack uses rogue VPN servers to install malicious updates (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- Fortinet VPN design flaw hides successful brute-force attacks (source)
- VPN vulnerabilities, weak credentials fuel ransomware attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)