CVE-2024-3661

HIGH

DHCP - Info Disclosure

Title source: llm

Description

DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.

Exploits (3)

nomisec NO CODE

by YardenFadida · poc

https://github.com/YardenFadida/CVE-2024-3661_Demo

View Code ZIP pw:eip

nomisec WORKING POC

by Roundthe-clock · poc

https://github.com/Roundthe-clock/CVE-2024-3661VPN

View Code ZIP pw:eip

nomisec WORKING POC

by Wh1t3Fox · poc

https://github.com/Wh1t3Fox/CVE-2024-3661

View Code ZIP pw:eip

References (20)

[Exploit, Press/Media Coverage] https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/

[Third Party Advisory, Vendor Advisory] https://bst.cisco.com/quickview/bug/CSCwk05814

[Related] https://datatracker.ietf.org/doc/html/rfc2131#section-7

[Related] https://datatracker.ietf.org/doc/html/rfc3442#section-7

[Vendor Advisory] https://fortiguard.fortinet.com/psirt/FG-IR-24-170

[Issue Tracking] https://issuetracker.google.com/issues/263721377

[Exploit, Press/Media Coverage] https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/

[Issue Tracking] https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic

[Third Party Advisory] https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision

[Vendor Advisory] https://my.f5.com/manage/s/article/K000139553

[Issue Tracking] https://news.ycombinator.com/item?id=40279632

[Issue Tracking] https://news.ycombinator.com/item?id=40284111

[Vendor Advisory] https://security.paloaltonetworks.com/CVE-2024-3661

[Vendor Advisory] https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661

[Exploit, Third Party Advisory] https://tunnelvisionbug.com/

[Related] https://www.agwa.name/blog/post/hardening_openvpn_for_def_con

[Third Party Advisory] https://www.leviathansecurity.com/research/tunnelvision

[Exploit, Press/Media Coverage] https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/

[Mitigation, Third Party Advisory, Vendor Advisory] https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009

[Exploit, Third Party Advisory, Vendor Advisory] https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability

Scores

CVSS v3 7.6

EPSS 0.0242

EPSS Percentile 85.2%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-306 CWE-501

Status published

Products (12)

cisco/anyconnect_vpn_client

cisco/secure_client

citrix/secure_access_client < 24.06.1

f5/big-ip_access_policy_manager 7.2.3 - 7.2.5

fortinet/forticlient 7.4.0 (3 CPE variants)

fortinet/forticlient 6.4.0 - 7.2.5 (3 CPE variants)

paloaltonetworks/globalprotect (4 CPE variants)

watchguard/ipsec_mobile_vpn_client (2 CPE variants)

watchguard/mobile_vpn_with_ssl (2 CPE variants)

zscaler/client_connector

... and 2 more

Published May 06, 2024

Tracked Since Feb 18, 2026