home.social

#trafficdecloaking — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #trafficdecloaking, aggregated by home.social.

  1. TunnelVision: The DHCP Decloaking Technique

    Date: May 6, 2024
    CVE: CVE-2024-3661
    Vulnerability Type: Bypass a security feature
    CWE: [[CWE-284]], [[CWE-400]]
    Sources: Leviathan Security Blog

    Issue Summary

    TunnelVision, a technique disclosed by Leviathan Security, involves bypassing VPN encryption using DHCP to decloak user traffic without disrupting the VPN control channel, which leaves VPN kill switches ineffective. This vulnerability utilizes DHCP option 121 to manipulate routing tables, allowing attackers to redirect selected traffic away from the secured VPN tunnel directly to themselves, making sensitive user data vulnerable to interception.

    Technical Key Findings

    Attackers use DHCP option 121 to insert malicious /1 routes into a victim's routing table, diverting specific traffic away from the encrypted VPN tunnel directly to the attacker because they are more specific than the /0 routes. This style of attack seems to be a slight variation on the "Poison Tap" attack from Samy Kamkar in 2016, where the same thing is done, but with a USB/Thunderbolt network adapter. Where they are plugged it into the victim device, advertise two more specific routes of 0.0.0.0/1 and 128.0.0.0/1 and then you get all the traffic in preference to other system interfaces despite interface ordering: https://github.com/samyk/poisontap

    In 2002, RFC 3442 introduced option 121 classless static routes. It allows administrators to add classless static route ranges to a client’s routing table.

    Requirements for decloaking VPN traffic

    • The targeted host must accept a DHCP lease from the attacker-controlled server
    • The targeted host’s DHCP client must implement DHCP option 121
    • The client setup should lack firewall rules that block traffic to/from physical interface

    Vulnerable Products

    All operating systems supporting DHCP option 121, including Windows, Linux, iOS, and macOS. It does not affect Android as it does not support DHCP option 121.

    Impact Assessment

    Successful exploitation leads to potential traffic interception, jeopardizing sensitive data and enabling targeted denial-of-service and de-anonymization attacks.

    Patches or Workaround

    Mitigations include using network namespaces on Linux, enforcing strict firewall rules, or completely ignoring DHCP option 121 during active VPN connections.

    Tags

    #Networking #VPN #DHCP #CVE-2024-3661 #SecurityBypass #TrafficDecloaking

    ![Figure 4: A dataflow diagram of a VPN on a Linux host.](images.squarespace-cdn.com/con)