Security News > 2024 > May > New attack leaks VPN traffic using rogue DHCP servers
A new attack dubbed "TunnelVision" can route traffic outside a VPN's encryption tunnel, allowing attackers to snoop on unencrypted traffic while maintaining the appearance of a secure VPN connection.
The attackers set up a rogue DHCP server that alters the routing tables so that all VPN traffic is sent straight to the local network or a malicious gateway, never entering the encrypted VPN tunnel.
"Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway," reads the report.
Use network namespaces on Linux to isolate network interfaces and routing tables from the rest of the system, preventing rogue DHCP configurations from affecting VPN traffic.
Configure VPN clients to deny all inbound and outbound traffic that does not use the VPN interface.
As for VPN providers, they are encouraged to enhance their client software to implement their own DHCP handlers or integrate additional security checks that would block applying risky DHCP configurations.
News URL
Related news
- Quad7 botnet targets more SOHO and VPN routers, media servers (source)
- New PIXHELL acoustic attack leaks secrets from LCD screen noise (source)
- New scanner finds Linux, UNIX servers exposed to CUPS RCE attacks (source)
- Underground ransomware claims attack on Casio, leaks stolen data (source)
- Microsoft deprecates PPTP and L2TP VPN protocols in Windows Server (source)
- Cybercriminals Exploiting Docker API Servers for SRBMiner Crypto Mining Attacks (source)
- Exploit released for new Windows Server "WinReg" NTLM Relay attack (source)
- Cisco fixes VPN DoS flaw discovered in password spray attacks (source)
- New Cisco ASA and FTD features block VPN brute-force password attacks (source)