You have probably heard about the cybersecurity attack developed by security researchers called “TunnelVision” (CVE-2024-3661). TunnelVision would allow a breach into virtually any Virtual Private Network (VPN), allowing to bypass security measures in place and redirect all data traffic outside of the encrypted tunnels intended to safeguard data against surveillance or manipulation, which would significantly undermine the fundamental purpose of VPNs.
They speculate that this attack method might have technically been feasible since as early as 2002 and might have been potentially exploited already in real-world scenarios since then, although undiscovered and/or undisclosed until recently.
Let’s understand how this attack works, which environments are potentially affected, and most importantly, how to remedy, or at least, protect against it.
What Is VPN Used For?
Virtual Private Network (VPN) is a proven technology that allows secure access to internal corporate resources from outside of the corporate network, through unmanaged and unsecure networks like the mother of all networks, the Internet. There are many types of VPN connections, depending on either the secure connection is manually or automatically turned on and off, and either all data traffic (including personally and work apps) is routed through it (referred to as device-wide VPN) or only for a specific set of authorized, managed work apps (called per-app VPN).
In all cases, data travels securely, protected using end-to-end encryption from the device or mobile apps up to the destination resources, like a website, database or email server, hosted internally.
This attack however relies on a specific option of the Dynamic Host Configuration Protocol (DHCP) protocol, a core network protocol that facilitates seamless connectivity in networks by ensuring that devices can obtain the necessary network configuration parameters without user intervention, to reroute VPN data traffic, before it is even encrypted, so it never goes through the VPN tunnel as intended, but to an alternative rogue server for later extraction; and this, while remaining completely undetected to the corporate security measures and appliances in place, for example firewall appliances or VPN gateways.
How Does the Attack Work?
The attack relies on the use of a largely unknown DHCP option called option 121, also known as Classless Static Route Option, which allows a DHCP server to specify a list of static routes that clients should use to reach specific destination networks, which is useful in scenarios where multiple subnets exist within a network, and clients need explicit routing information to communicate with devices on different subnets.
This option was introduced more than 20 years ago, although it is largely unknown to the public and only used in very specific scenarios, so the general lack of awareness about it, and its potential when misused by malicious actors, that could use it to reroute part of all of data traffic, supposed to go over the secure, virtual VPN network interface, over a physical interface instead, to an alternative compromised server on the local network.
The attack exploits the lack of proper authentication and integrity mechanisms in DHCP communications, like what does exist with Domain Name Server (DNS) protocol in the form of DNSsec, allowing to digitally sign responses, ensuring authenticity and integrity and preventing spoofing and redirecting attacks. And this allows an attacker to deploy rogue DHCP servers, which can assign incorrect IP addresses and network configurations, leading to IP address spoofing and man-in-the-middle attacks, and result in clients being redirected to malicious servers or websites, potentially exposing sensitive information.
Plus unlike during an eavesdrop attack where an attacker is listening and capturing data that is however protected, but still need to later “break” the encryption in order to read the actual data, in that specific scenario there is no need for that, as the data is not even be encrypted to begin with, as not going over the VPN tunnel, but to the local network like default traffic is.
To make it even worse, this bypassing of data would remain undetected from the point of view of the VPN gateway, the connection from the affected computer or mobile device remains active (=connected), although there might few be no real traffic through it, as intentionally rerouted elsewhere.
Also, that bypassed traffic is usually going to the rogue DHCP server itself, which make it even hard to detect as most, if not all network security solutions usually don’t look into DNS or DHCP network traffic, which are by nature unencrypted, as potentially suspicious traffic, but as part of the usual, default traffic on any operative network; it is somehow treated as “white noise” and so not looked at, which is the perfect camouflage.
Limitations
While this attack has been proven to be feasible and effective, there is no reason to rise alerts and consider VPN solutions to be unsecure and unable to protect or data anymore.
First, implementation of such attack requires local access to the network, so the attacker would need to be able to deploy a DHCP server locally to the network, that can feed with tampered DHCP information, then later intercept all the bypassed traffic. This is why most scenarios are leveraging untrusted or public Wi-Fi, since they are usually not managed as well.
Also, while most connected devices are affected by that attack, some of them like Android mobile devices are natively immune to it, as their OS network stack does not implement/use DHCP option 121, so no traffic bypassing possible using that technique.
Who Is the Target?
The main target of such an attack would be business travelers and home office workers, when connecting to their organization network via the Internet, from a location different than their home and work (supposedly a safe place).
How To Mitigate It?
For organizations with a high level of security requirements, where even the most remote possible of an attack must be excluded, there are possible mitigations.
For mobile users, the first recommendation would be to use devices running Android OS, as they are immune to that specific attack; however, using Android devices as the primary work platform presents its own set of pros and cons, and while some organization can decide and which devices are used, in other where BYOD are allowed or employees have the possibility to choose their COPE device, it might be more difficult, if not impossible, to force employees to switch to another mobile device type to which they are not used to and/or comfortable with.
For travelers using a desktop computer to access corporate resources using VPN solution over potentially unsafe Wi-Fi network, for example in hotel, airport or a mall, they should ideally use their mobile phone cellular network (via hotspot Wi-Fi) instead to connect their computer to the Internet first, then establish a VPN connection to their organization’s network; this way, they ensure that no possible DHCP-based attack can occur; however, leveraging a mobile android device as a retransmission long term is not realistic unless a company is willing to cover the higher cellular data costs associated with using them for tethering with a desktop computer (high data usage), vs normal mobile usage (lower data usage).
Finally, the most secure option for employees to secure access internal resources remotely is the use of a Virtualization, with a Virtual Desktop Infrastructure (VDI) for desktop devices and/or a Mobile Virtual Infrastructure (MVI) for mobile devices (ex: Hypori Halo), as the data never leaves the remote servers, so no risk of data leakage or theft. However, the associated costs, in terms of deployment, integration and management, are elevated, so it is unfortunately not an option for all organizations.
While the scope of the recently discovered TunnelVision vulnerability is concerning, you are now familiar with multiple ways to mitigate the risk. In today’s world of ever-increasing cyber threats, it can be difficult to know which solutions to deploy and how to best leverage your existing solutions. Thankfully, the team of experts at ISEC7 can also provide an objective assessment of what tools can address the needs of your organization and/or risk mitigation needed to enhance your current solution.
