A new technique dubbed “TunnelVision” that exploits a DHCP design flaw lets attackers manipulate routing tables so they can completely bypass traffic meant for a VPN and then redirect it on to an untrusted local network.
In a blog post May 6, researchers at the Leviathan Security Group explained that because this technique exploits a DHCP flaw and does not depend on exploiting VPN technologies or underlying protocols, it works completely independently of the VPN provider or implementation.
“VPN users who expect VPNs to protect them on untrusted networks are as susceptible to the very same attacks as if they weren’t using a VPN,” wrote the researchers. “This is particularly dangerous for people who rely on VPNs to keep them safe, such as journalists and political dissidents.”
The researchers explained that TunnelVision exploits CVE-2024-3661, a high-severity DHCP design flaw where messages such as the classless static route — Option 121 — are not authenticated, exposing them to manipulation.
Callie Guenther, senior manager of threat research at Critical Start and an SC Media columnist, explained that Option 121 lets network administrators define the routing directives that DHCP clients should use. However, Guenther said because these DHCP routing directives are not authenticated, they are susceptible to manipulation by an attacker.
In what the researchers described as the “Decloaking Effect,” Guenther explained that a victim’s system still indicates a secure VPN connection is active, misleading the user or IT staff monitoring logs about their actual security posture.
“This stealth aspect makes the attack particularly dangerous as users believe their communications are secure when they are not,” said Guenther. “Since the attack targets the underlying IP routing mechanism through DHCP, it is not directly dependent on the VPN technology or provider. This means that most IP routing-based VPN systems could be vulnerable to this attack.”
Craig Harber, security evangelist at Open Systems, added that by using Option 121 to route VPN traffic through the DHCP server, the attack diverts the data to the DHCP server itself.
“To protect against TunnelVision, security teams should regularly update their VPN software to patch known vulnerabilities, avoid using public Wi-Fi networks whenever possible, and enable kill-switch features in VPNs client to prevent traffic leaks,” said Harber.