A new attack technique named ‘TunnelVision’ can “decloack” Virtual Private Network (VPN) traffic by bypassing VPN encapsulation.
The new attack method, described by Leviathan Security, involves the Dynamic Host Configuration Protocol (DHCP), a fundamental component of network communication. It relies on the abuse of DHCP’s option 121, which allows the configuration of classless static routes on a client's system.
The researchers detailed how rogue DHCP servers are deployed within the same network as targeted VPN users. These servers manipulate routing tables, diverting encrypted traffic away from the VPN tunnel and exposing it to potential interception. The attack maintains the appearance of a secure VPN connection, evading detection by VPN control mechanisms such as kill switches.
“The technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway,” explained the report. “When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it.”
Although this security issue has received a CVE identifier (CVE-2024-3661), it’s unclear whether it should be treated as a security vulnerability.
As Leviathan Security explains, “This is debatable. We’re calling it a technique because TunnelVision doesn’t rely on violating any security properties of the underlying technologies. From our perspective, TunnelVision is how DHCP, routing tables, and VPNs are intended to work.”
“However, it contradicts VPN providers’ assurances that are commonly referenced in marketing materials; in our opinion, TunnelVision becomes a vulnerability when a VPN provider makes assurances that their product secures a customer from an attacker on an untrusted network. There’s a big difference between protecting your data in transit and protecting against all LAN attacks. VPNs were not designed to mitigate LAN attacks on the physical network and to promise otherwise is dangerous.”
The issue affects a wide range of operating systems including Windows, Linux, macOS, and iOS. Android remains unaffected due to its lack of support for DHCP option 121.
“It is not feasible to fix the issue by simply removing support for the DHCP feature because this could break Internet connectivity in some legitimate cases. The strongest recommendation we have is for VPN providers to implement network namespaces on operating systems that support them,” the researchers advised.