58
TunnelVision - How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak (CVE-2024-3661) (www.leviathansecurity.com)
submitted 4 months ago by [email protected] to c/[email protected]
5 comments fedilink hide all child comments

cross-posted from: https://lemmy.ca/post/20720928

top 5 comments
sorted by: hot top controversial new old
[-] [email protected] 21 points 4 months ago

Interesting read.

So, in short:

  • The attacker needs to have access to your LAN and become the DHCP server, e.g. by a starvation attack or timing attacks
  • The attacked host system needs to support DHCP option 121 (atm basically every OS except Android)
  • by abusing DHCP option 121, the attacker can push routes to the attacked host system that supersede other rules in most network stacks by having a more specific prefix, e.g. a 192.168.1.1/32 will supersede 0.0.0.0/0
  • The attacker can now force the attacked host system to route the traffic intended for a VPN virtual network interface (to be encrypted and forwarded to the VPN server) to the (physical) interface used for DHCP
  • This leads to traffic intended to be sent over the VPN to not get encrypted and being sent outside the tunnel.
  • This attack can be used before or after a VPN connection is established
  • Since the VPN tunnel is still established, any implemented kill switch doesn't get triggered

DHCP option 121 is still used for a reason, especially in business networks. At least on Linux, using network namespaces will fix this. Firewall mitigations can also work, but create other (very theoretical) attack surfaces.

[-] [email protected] 5 points 4 months ago

Thank you, that was helpful!

[-] [email protected] 2 points 4 months ago

The problem isn't necessarily "stuff not sent over vpn isn't encrypted". Everyone uses TLS. It's more that you are no longer NATed behind the VPN egress IP. When governments want to assassinate anyone who touches a destination IP, having the true source IP instead of a VPN source IP is pretty helpful. For this to be practical you first need a botnet of compromised home routers... which they already have.

In a corporate environment, traffic that is VPN'd typically also undergoes better logging and deep packet inspection.

[-] [email protected] 2 points 4 months ago

The problem isn’t necessarily “stuff not sent over vpn isn’t encrypted”. Everyone uses TLS.

Never said it was. It's a noteworthy detail, since some (rare) HTTP unencrypted traffic as well as LAN traffic in general is a bit more concerning than your standard SSL traffic contentwise, apart from the IP.

For this to be practical you first need a botnet of compromised home routers

This is more of a Café/Hotel Wi-Fi thing IMO. While it may take some kind of effort to get control over some shitty IoT device in your typical home environment, pretty much every script kiddie can at least force spoof the DHCP server in an open network.

[-] [email protected] 3 points 4 months ago

Really? A cve for dhcp option 121?

this post was submitted on 07 May 2024
58 points (93.9% liked)

Programming

17026 readers
55 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]