Vulnerabilites related to cisco - anyconnect_vpn_client
Vulnerability from fkie_nvd
Published
2024-05-06 19:15
Modified
2025-01-15 16:50
Severity ?
7.6 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
7.6 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
7.6 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Summary
DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:linux:*:*",
"matchCriteriaId": "F0918F54-0052-42BD-A73E-CFF198B9EC48",
"versionEndExcluding": "7.2.5",
"versionStartIncluding": "6.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:macos:*:*",
"matchCriteriaId": "81B7F626-84B5-47A5-959F-735D6250C147",
"versionEndExcluding": "7.2.5",
"versionStartIncluding": "6.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:windows:*:*",
"matchCriteriaId": "5E714EAF-73AB-41EA-AC57-E59B78FD7853",
"versionEndExcluding": "7.2.5",
"versionStartIncluding": "6.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:forticlient:7.4.0:*:*:*:*:linux:*:*",
"matchCriteriaId": "7B728862-1FAB-47B4-823D-2C19CBF76DAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:forticlient:7.4.0:*:*:*:*:macos:*:*",
"matchCriteriaId": "0A079CA4-D957-402A-B899-31F26A89DF00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:forticlient:7.4.0:*:*:*:*:windows:*:*",
"matchCriteriaId": "6B512696-8596-4458-ADC9-24DD3C6C377B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cisco:anyconnect_vpn_client:-:*:*:*:*:*:*:*",
"matchCriteriaId": "59289E79-5A0A-4675-B7D4-C759401736A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:cisco:secure_client:-:*:*:*:*:*:*:*",
"matchCriteriaId": "FE81F5D2-269B-4098-AA9F-2DBCA3CB8813",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:iphone_os:*:*",
"matchCriteriaId": "8EEBB31D-BC9C-4EAD-86B1-8B95AB118A2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:linux:*:*",
"matchCriteriaId": "4814D5DB-A96C-4D91-9DAE-87FF0DA101D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:macos:*:*",
"matchCriteriaId": "72F88FEB-766B-4FCD-B78E-0E8E5E2B5CCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:windows:*:*",
"matchCriteriaId": "D5537140-CDA3-4410-B101-24D1AB3624EA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:citrix:secure_access_client:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CB344FC1-AD7C-4988-A703-8B2CD0AEF57C",
"versionEndExcluding": "24.06.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B5415705-33E5-46D5-8E4D-9EBADC8C5705",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*",
"matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:citrix:secure_access_client:*:*:*:*:*:*:*:*",
"matchCriteriaId": "697D4070-101A-45B1-99B1-F33ECF03945C",
"versionEndExcluding": "24.8.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*",
"matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FB16CE4D-183C-44B9-A5FF-6F9FA3C0A618",
"versionEndIncluding": "7.2.5",
"versionStartIncluding": "7.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7F605E-EB10-40FB-98D6-7E3A95E310BC",
"versionEndIncluding": "15.1.10",
"versionStartIncluding": "15.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E8FEC1DE-D11F-4DC8-8B21-51BAF1731A5F",
"versionEndIncluding": "16.1.5",
"versionStartIncluding": "16.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9DE3A941-B898-4EAB-9073-C6A312E59FC5",
"versionEndIncluding": "17.1.2",
"versionStartIncluding": "17.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:watchguard:ipsec_mobile_vpn_client:*:*:*:*:*:macos:*:*",
"matchCriteriaId": "FFB4A7FD-AC96-490D-9CBB-72166D46C4FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:watchguard:ipsec_mobile_vpn_client:*:*:*:*:*:windows:*:*",
"matchCriteriaId": "2EAD2DBA-3038-4EF8-8BAE-80BD3DA97B33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:watchguard:mobile_vpn_with_ssl:*:*:*:*:*:macos:*:*",
"matchCriteriaId": "AB8A39F6-8AD5-4B9D-92E4-7E28EE78C5B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:watchguard:mobile_vpn_with_ssl:*:*:*:*:*:windows:*:*",
"matchCriteriaId": "0AF97158-6BB8-47CA-8214-98D2F801C8BA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zscaler:client_connector:*:*:*:*:*:linux:*:*",
"matchCriteriaId": "1F206869-8FCE-40AE-ADDC-62F221E00004",
"versionEndExcluding": "1.5.1.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zscaler:client_connector:*:*:*:*:*:macos:*:*",
"matchCriteriaId": "7D37D825-E2B8-4924-AA8A-ACB0E08A3C61",
"versionEndExcluding": "4.2.0.282",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zscaler:client_connector:*:*:*:*:*:linux:*:*",
"matchCriteriaId": "4EC77FDF-1E1A-4638-9C9F-DA4205FDD69B",
"versionEndExcluding": "3.7.0.134",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zscaler:client_connector:-:*:*:*:*:windows:*:*",
"matchCriteriaId": "C057E1BC-C7BA-4EAF-8200-560035118FA0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "DHCP can add routes to a client\u2019s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN."
},
{
"lang": "es",
"value": "Por dise\u00f1o, el protocolo DHCP no autentica mensajes, incluida, por ejemplo, la opci\u00f3n de ruta est\u00e1tica sin clases (121). Un atacante con la capacidad de enviar mensajes DHCP puede manipular rutas para redirigir el tr\u00e1fico VPN, lo que le permite leer, interrumpir o posiblemente modificar el tr\u00e1fico de red que se esperaba que estuviera protegido por la VPN. Muchos, si no la mayor\u00eda, de los sistemas VPN basados en enrutamiento IP son susceptibles a este tipo de ataques."
}
],
"id": "CVE-2024-3661",
"lastModified": "2025-01-15T16:50:28.667",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.7,
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-05-06T19:15:11.027",
"references": [
{
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"tags": [
"Press/Media Coverage"
],
"url": "https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/"
},
{
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"tags": [
"Vendor Advisory"
],
"url": "https://bst.cisco.com/quickview/bug/CSCwk05814"
},
{
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"tags": [
"Related"
],
"url": "https://datatracker.ietf.org/doc/html/rfc2131#section-7"
},
{
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"tags": [
"Related"
],
"url": "https://datatracker.ietf.org/doc/html/rfc3442#section-7"
},
{
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"tags": [
"Vendor Advisory"
],
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-170"
},
{
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"tags": [
"Issue Tracking"
],
"url": "https://issuetracker.google.com/issues/263721377"
},
{
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"tags": [
"Press/Media Coverage"
],
"url": "https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/"
},
{
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"tags": [
"Issue Tracking"
],
"url": "https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic"
},
{
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"tags": [
"Third Party Advisory"
],
"url": "https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision"
},
{
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"tags": [
"Vendor Advisory"
],
"url": "https://my.f5.com/manage/s/article/K000139553"
},
{
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"tags": [
"Issue Tracking"
],
"url": "https://news.ycombinator.com/item?id=40279632"
},
{
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"tags": [
"Issue Tracking"
],
"url": "https://news.ycombinator.com/item?id=40284111"
},
{
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"tags": [
"Vendor Advisory"
],
"url": "https://security.paloaltonetworks.com/CVE-2024-3661"
},
{
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"tags": [
"Vendor Advisory"
],
"url": "https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661"
},
{
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://tunnelvisionbug.com/"
},
{
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"tags": [
"Related"
],
"url": "https://www.agwa.name/blog/post/hardening_openvpn_for_def_con"
},
{
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"tags": [
"Third Party Advisory"
],
"url": "https://www.leviathansecurity.com/research/tunnelvision"
},
{
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"tags": [
"Press/Media Coverage"
],
"url": "https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/"
},
{
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009"
},
{
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Press/Media Coverage"
],
"url": "https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://bst.cisco.com/quickview/bug/CSCwk05814"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Related"
],
"url": "https://datatracker.ietf.org/doc/html/rfc2131#section-7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Related"
],
"url": "https://datatracker.ietf.org/doc/html/rfc3442#section-7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-170"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://issuetracker.google.com/issues/263721377"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Press/Media Coverage"
],
"url": "https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://my.f5.com/manage/s/article/K000139553"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://news.ycombinator.com/item?id=40279632"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://news.ycombinator.com/item?id=40284111"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.paloaltonetworks.com/CVE-2024-3661"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://tunnelvisionbug.com/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Related"
],
"url": "https://www.agwa.name/blog/post/hardening_openvpn_for_def_con"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.leviathansecurity.com/research/tunnelvision"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Press/Media Coverage"
],
"url": "https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability"
}
],
"sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
},
{
"lang": "en",
"value": "CWE-501"
}
],
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2024-3661
Vulnerability from cvelistv5
Published
2024-05-06 18:31
Modified
2024-08-28 19:09
Severity ?
EPSS score ?
Summary
DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:20:00.420Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://datatracker.ietf.org/doc/html/rfc2131#section-7"
},
{
"tags": [
"x_transferred"
],
"url": "https://datatracker.ietf.org/doc/html/rfc3442#section-7"
},
{
"tags": [
"x_transferred"
],
"url": "https://tunnelvisionbug.com/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.leviathansecurity.com/research/tunnelvision"
},
{
"tags": [
"x_transferred"
],
"url": "https://news.ycombinator.com/item?id=40279632"
},
{
"tags": [
"x_transferred"
],
"url": "https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/"
},
{
"tags": [
"x_transferred"
],
"url": "https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/"
},
{
"tags": [
"x_transferred"
],
"url": "https://issuetracker.google.com/issues/263721377"
},
{
"tags": [
"x_transferred"
],
"url": "https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability"
},
{
"tags": [
"x_transferred"
],
"url": "https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic"
},
{
"tags": [
"x_transferred"
],
"url": "https://news.ycombinator.com/item?id=40284111"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.agwa.name/blog/post/hardening_openvpn_for_def_con"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009"
},
{
"tags": [
"x_transferred"
],
"url": "https://bst.cisco.com/quickview/bug/CSCwk05814"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.paloaltonetworks.com/CVE-2024-3661"
},
{
"tags": [
"x_transferred"
],
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-170"
},
{
"tags": [
"x_transferred"
],
"url": "https://my.f5.com/manage/s/article/K000139553"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3661",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-08T04:00:07.962328Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T19:09:06.995Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "DHCP",
"vendor": "IETF",
"versions": [
{
"status": "affected",
"version": "0"
}
]
}
],
"datePublic": "2002-12-31T01:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "DHCP can add routes to a client\u2019s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN."
}
],
"value": "DHCP can add routes to a client\u2019s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-501",
"description": "CWE-501 Trust Boundary Violation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-01T15:04:50.790Z",
"orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"shortName": "cisa-cg"
},
"references": [
{
"url": "https://datatracker.ietf.org/doc/html/rfc2131#section-7"
},
{
"url": "https://datatracker.ietf.org/doc/html/rfc3442#section-7"
},
{
"url": "https://tunnelvisionbug.com/"
},
{
"url": "https://www.leviathansecurity.com/research/tunnelvision"
},
{
"url": "https://news.ycombinator.com/item?id=40279632"
},
{
"url": "https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/"
},
{
"url": "https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/"
},
{
"url": "https://issuetracker.google.com/issues/263721377"
},
{
"url": "https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision"
},
{
"url": "https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability"
},
{
"url": "https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic"
},
{
"url": "https://news.ycombinator.com/item?id=40284111"
},
{
"url": "https://www.agwa.name/blog/post/hardening_openvpn_for_def_con"
},
{
"url": "https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/"
},
{
"url": "https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661"
},
{
"url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009"
},
{
"url": "https://bst.cisco.com/quickview/bug/CSCwk05814"
},
{
"url": "https://security.paloaltonetworks.com/CVE-2024-3661"
},
{
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-170"
},
{
"url": "https://my.f5.com/manage/s/article/K000139553"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "DHCP routing options can manipulate interface-based VPN traffic",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"assignerShortName": "cisa-cg",
"cveId": "CVE-2024-3661",
"datePublished": "2024-05-06T18:31:21.217Z",
"dateReserved": "2024-04-11T17:24:22.637Z",
"dateUpdated": "2024-08-28T19:09:06.995Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}