CVE-2024-3661 - Vulnerability Details

DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apple	Iphone Os Macos
Cisco	Anyconnect Vpn Client Secure Client
Citrix	Secure Access Client
F5	Big-ip Access Policy Manager
Fortinet	Forticlient
Linux	Linux Kernel
Paloaltonetworks	Globalprotect
Redhat	Enterprise Linux
Watchguard	Ipsec Mobile Vpn Client Mobile Vpn With Ssl
Zscaler	Client Connector

Configuration 1 [-]

OR	cpe:2.3:a:fortinet:forticlient::::::linux::*
	cpe:2.3:a:fortinet:forticlient::::::macos::*
	cpe:2.3:a:fortinet:forticlient::::::windows::*
	cpe:2.3:a:fortinet:forticlient:7.4.0:::::linux::
	cpe:2.3:a:fortinet:forticlient:7.4.0:::::macos::
	cpe:2.3:a:fortinet:forticlient:7.4.0:::::windows::

Configuration 2 [-]

OR	cpe:2.3:a:cisco:anyconnect_vpn_client:-:::::::*
	cpe:2.3:a:cisco:secure_client:-:::::::*

Configuration 3 [-]

OR	cpe:2.3:a:paloaltonetworks:globalprotect::::::iphone_os::*
	cpe:2.3:a:paloaltonetworks:globalprotect::::::linux::*
	cpe:2.3:a:paloaltonetworks:globalprotect::::::macos::*
	cpe:2.3:a:paloaltonetworks:globalprotect::::::windows::*

Configuration 4 [-]

AND

cpe:2.3:a:citrix:secure_access_client:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:apple:iphone_os:-:::::::*
	cpe:2.3:o:apple:macos:-:::::::*

Configuration 5 [-]

AND

cpe:2.3:a:citrix:secure_access_client:*:*:*:*:*:*:*:*

cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*

Configuration 6 [-]

OR	cpe:2.3:a:f5:big-ip_access_policy_manager::::::::
	cpe:2.3:a:f5:big-ip_access_policy_manager::::::::
	cpe:2.3:a:f5:big-ip_access_policy_manager::::::::
	cpe:2.3:a:f5:big-ip_access_policy_manager::::::::

Configuration 7 [-]

OR	cpe:2.3:a:watchguard:ipsec_mobile_vpn_client::::::macos::*
	cpe:2.3:a:watchguard:ipsec_mobile_vpn_client::::::windows::*
	cpe:2.3:a:watchguard:mobile_vpn_with_ssl::::::macos::*
	cpe:2.3:a:watchguard:mobile_vpn_with_ssl::::::windows::*

Configuration 8 [-]

OR	cpe:2.3:a:zscaler:client_connector::::::linux::*
	cpe:2.3:a:zscaler:client_connector::::::macos::*
	cpe:2.3:a:zscaler:client_connector::::::linux::*
	cpe:2.3:a:zscaler:client_connector:-:::::windows::

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
NetworkManager-1:1.40.16-18.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:0288	2025-01-13T00:00:00Z
NetworkManager-1:1.40.16-18.el8_10	cpe:/o:redhat:enterprise_linux:8	RHSA-2025:0288	2025-01-13T00:00:00Z
Red Hat Enterprise Linux 9
NetworkManager-1:1.48.10-5.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:0377	2025-01-16T00:00:00Z
NetworkManager-1:1.48.10-5.el9_5	cpe:/o:redhat:enterprise_linux:9	RHSA-2025:0377	2025-01-16T00:00:00Z

References

Link	Providers
https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/
https://bst.cisco.com/quickview/bug/CSCwk05814
https://datatracker.ietf.org/doc/html/rfc2131#section-7
https://datatracker.ietf.org/doc/html/rfc3442#section-7
https://fortiguard.fortinet.com/psirt/FG-IR-24-170
https://issuetracker.google.com/issues/263721377
https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/
https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic
https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision
https://my.f5.com/manage/s/article/K000139553
https://news.ycombinator.com/item?id=40279632
https://news.ycombinator.com/item?id=40284111
https://nvd.nist.gov/vuln/detail/CVE-2024-3661
https://security.paloaltonetworks.com/CVE-2024-3661
https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661
https://tunnelvisionbug.com/
https://www.agwa.name/blog/post/hardening_openvpn_for_def_con
https://www.cve.org/CVERecord?id=CVE-2024-3661
https://www.leviathansecurity.com/research/tunnelvision
https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009
https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability

History

Thu, 13 Feb 2025 01:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat enterprise Linux
CPEs		cpe:/a:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:9 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux

Wed, 15 Jan 2025 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple iphone Os Apple macos Cisco Cisco anyconnect Vpn Client Cisco secure Client Citrix Citrix secure Access Client F5 F5 big-ip Access Policy Manager Fortinet Fortinet forticlient Linux Linux linux Kernel Paloaltonetworks Paloaltonetworks globalprotect Watchguard Watchguard ipsec Mobile Vpn Client Watchguard mobile Vpn With Ssl Zscaler Zscaler client Connector
CPEs		cpe:2.3:a:cisco:anyconnect_vpn_client:-:::::::* cpe:2.3:a:cisco:secure_client:-:::::::* cpe:2.3:a:citrix:secure_access_client:::::::: cpe:2.3:a:f5:big-ip_access_policy_manager:::::::: cpe:2.3:a:fortinet:forticlient::::::linux::* cpe:2.3:a:fortinet:forticlient::::::macos::* cpe:2.3:a:fortinet:forticlient::::::windows::* cpe:2.3:a:fortinet:forticlient:7.4.0:::::linux:: cpe:2.3:a:fortinet:forticlient:7.4.0:::::macos:: cpe:2.3:a:fortinet:forticlient:7.4.0:::::windows:: cpe:2.3:a:paloaltonetworks:globalprotect::::::iphone_os::* cpe:2.3:a:paloaltonetworks:globalprotect::::::linux::* cpe:2.3:a:paloaltonetworks:globalprotect::::::macos::* cpe:2.3:a:paloaltonetworks:globalprotect::::::windows::* cpe:2.3:a:watchguard:ipsec_mobile_vpn_client::::::macos::* cpe:2.3:a:watchguard:ipsec_mobile_vpn_client::::::windows::* cpe:2.3:a:watchguard:mobile_vpn_with_ssl::::::macos::* cpe:2.3:a:watchguard:mobile_vpn_with_ssl::::::windows::* cpe:2.3:a:zscaler:client_connector::::::linux::* cpe:2.3:a:zscaler:client_connector::::::macos::* cpe:2.3:a:zscaler:client_connector:-:::::windows:: cpe:2.3:o:apple:iphone_os:-:::::::* cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:linux:linux_kernel:-:::::::*
Vendors & Products		Apple Apple iphone Os Apple macos Cisco Cisco anyconnect Vpn Client Cisco secure Client Citrix Citrix secure Access Client F5 F5 big-ip Access Policy Manager Fortinet Fortinet forticlient Linux Linux linux Kernel Paloaltonetworks Paloaltonetworks globalprotect Watchguard Watchguard ipsec Mobile Vpn Client Watchguard mobile Vpn With Ssl Zscaler Zscaler client Connector

Thu, 07 Nov 2024 02:30:00 +0000

Type	Values Removed	Values Added
Metrics	threat_severity `Important`	threat_severity `Moderate`

Tue, 22 Oct 2024 02:30:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2024-3661 https://www.cve.org/CVERecord?id=CVE-2024-3661
Metrics	threat_severity `None`	threat_severity `Important`

MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published: 2024-05-06T18:31:21.217Z

Updated: 2024-08-28T19:09:06.995Z

Reserved: 2024-04-11T17:24:22.637Z

Link: CVE-2024-3661

Vulnrichment

Updated: 2024-08-01T20:20:00.420Z

NVD

Status : Analyzed

Published: 2024-05-06T19:15:11.027

Modified: 2025-01-15T16:50:28.667

Link: CVE-2024-3661

Redhat

Severity : Moderate

Publid Date: 2024-05-06T18:31:21Z

Links: CVE-2024-3661 - Bugzilla

Metrics

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object