Security News > 2024 > May > Attackers may be using TunnelVision to snoop on users’ VPN traffic (CVE-2024-3661)

Attackers may be using TunnelVision to snoop on users’ VPN traffic (CVE-2024-3661)
2024-05-08 13:23

Researchers have brought to light a new attack method - dubbed TunnelVision and uniquely identified as CVE-2024-3661 - that can be used to intercept and snoop on VPN users' traffic by attackers who are on the same local network.

"Luckily, most users who use commercial VPNs are sending web traffic which is mostly HTTPS. HTTPS traffic looks like gibberish to attackers using TunnelVision, but they know who you are sending that gibberish to which can be an issue," the researchers noted.

Attackers using the TunnelVision technique effectively exploit a built-in feature of the Dynamic Host Configuration Protocol: DHCP option 121, which allows a DHCP server to supply classless static routes for the VPN software's routing tables.

"Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway. When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it," the researchers explained.

"Regardless of whether we classify this as a technique, VPN users are affected when they rely on assurances that a VPN can secure them from attackers on their local network."

VPN users on the consumer site should consider not using untrusted networks, using a hotspot with their VPN or using the VPN inside a virtual machine that does not have a bridged network adapter.


News URL

https://www.helpnetsecurity.com/2024/05/08/tunnelvision-cve-2024-3661/