Lucene search

Ubuntu.comUB:CVE-2024-3661

HistoryMay 06, 2024 - 12:00 a.m.

CVE-2024-3661

2024-05-0600:00:00

ubuntu.com

dhcp

authentication

route manipulation

vpn

ip-based

vulnerability

7.6 High

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

7.4 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.2%

JSON

DHCP can add routes to a client’s routing table via the classless static
route option (121). VPN-based security solutions that rely on routes to
redirect traffic can be forced to leak traffic over the physical interface.
An attacker on the same local network can read, disrupt, or possibly modify
network traffic that was expected to be protected by the VPN.

Notes

Author	Note
rodrigo-zaiden	other VPN softwares may be affected. as of 2024-05-08, there isn’t vpn providers reports
mdeslaur	This issue is actually in the way DHCP clients handle the route option. There is no clear solution to this issue as of 2024-05-14, marking all packages are deferred for now.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchconnman< anyUNKNOWN
ubuntu20.04noarchconnman< anyUNKNOWN
ubuntu22.04noarchconnman< anyUNKNOWN
ubuntu23.10noarchconnman< anyUNKNOWN
ubuntu24.04noarchconnman< anyUNKNOWN
ubuntu16.04noarchconnman< anyUNKNOWN
ubuntu18.04noarchgadmin-openvpn-client< anyUNKNOWN
ubuntu20.04noarchgadmin-openvpn-client< anyUNKNOWN
ubuntu16.04noarchgadmin-openvpn-client< anyUNKNOWN
ubuntu18.04noarchgadmin-openvpn-server< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	connman	< any	UNKNOWN
ubuntu	20.04	noarch	connman	< any	UNKNOWN
ubuntu	22.04	noarch	connman	< any	UNKNOWN
ubuntu	23.10	noarch	connman	< any	UNKNOWN
ubuntu	24.04	noarch	connman	< any	UNKNOWN
ubuntu	16.04	noarch	connman	< any	UNKNOWN
ubuntu	18.04	noarch	gadmin-openvpn-client	< any	UNKNOWN
ubuntu	20.04	noarch	gadmin-openvpn-client	< any	UNKNOWN
ubuntu	16.04	noarch	gadmin-openvpn-client	< any	UNKNOWN
ubuntu	18.04	noarch	gadmin-openvpn-server	< any	UNKNOWN

Rows per page:

1-10 of 1431

References

arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/

datatracker.ietf.org/doc/html/rfc2131#section-7

datatracker.ietf.org/doc/html/rfc3442#section-7

issuetracker.google.com/issues/263721377

krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/

launchpad.net/bugs/cve/CVE-2024-3661

lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic

mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision

news.ycombinator.com/item?id=40279632

news.ycombinator.com/item?id=40284111

nvd.nist.gov/vuln/detail/CVE-2024-3661

security-tracker.debian.org/tracker/CVE-2024-3661

tunnelvisionbug.com/

www.agwa.name/blog/post/hardening_openvpn_for_def_con

www.cve.org/CVERecord?id=CVE-2024-3661

www.leviathansecurity.com/research/tunnelvision

www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability

7.6 High

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

7.4 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.2%

JSON

Related for UB:CVE-2024-3661