On May 6th, 2024, researchers from the Leviathan Security Group published an article detailing a technique to bypass most VPN applications, assigned as CVE-2024-3661 with... Read ›
Cato Networks’ Impact and analysis of CVE-2024-3661 – “TunnelVision” VPN vulnerability On May 6th, 2024, researchers from the Leviathan Security Group published an article detailing a technique to bypass most VPN applications, assigned as CVE-2024-3661 with a High CVSS score of 7.6. Researchers have labeled this technique 'decloaking' as while the VPN tunnel remains connected, it allows attackers to trick many VPN clients into sending traffic via a side channel and not through the encrypted tunnel. Traffic flows through the side channel unencapsulated and can be snooped by an attacker.
The attack requires introducing a rogue DHCP server to the local network. This is not easy on well-maintained networks, that use trust zones and DHCP snooping features to prevent this attack vector. Notably, the threat of an adjacent attacker on the local network is not limited to DHCP alone, untrusted networks may impose various other threats, such as ARP poisoning, LLMNR poisoning, and so on.In the case presented in the article, the malicious DHCP server poisons the routing table of its neighbor on the local network. Taking advantage of the broadcast nature of DHCP communications, as well as the fact it is UDP based, i.e. little source verification is performed, the fabrication of responses is easily achieved and can be done in various ways.
Specifically, the response sent by the malicious server to a lease request sent on the local network utilizes option 121 [RFC 3442] - allowing the DHCP server to push classless static routes into the neighboring client routing table.
Cato Client impact and recommended actions
The affected operating systems are:
Windows
Linux
MacOS
iOS
* Android is unaffected by the technique since it does not implement support for DHCP Option 121 altogether.
For recommendations for Windows Client users, see below. We are additionally working on updates to the other affected operating systems and updates will be issued as they become available.
Cato customers using the Windows Client may use a registry key to enable the “Delete Static Routes” feature on the Client, effectively configuring the Client to delete all static routes that are not managed by Cato upon connecting.The configuration will take effect the next time the Client connects to the Cato cloud. If Always-On is enabled, users may need to bypass Always-On. For more information on how to bypass always on see here.Also, if there are legitimate reasons for static routes to be present, this configuration may conflict with those routes and should be considered.
Registry key details:Location - Computer\HKEY_LOCAL_MACHINE\SOFTWARE\CatoNetworksVPNName: DeleteStaticRoutesValue: 1 - (type: DWORD)
The below one-liner can be used as well on Windows or distributed using known methods such as MDM tools or GPO policies.reg add "HKEY_LOCAL_MACHINE\SOFTWARE\CatoNetworksVPN" /v DeleteStaticRoutes /t REG_DWORD /d 1 /f
To improve security in managed networks or in scenarios involving public or otherwise untrusted networks, these additional recommendations may be used to mitigate the vulnerability:
Mitigating DHCP attacks on local networks: Admins can enable configurations on network switches such as DHCP Snooping to protect the network from the introduction of a rogue DHCP server.
Use Cellular Hotspots: Using a cellular network instead of public Wi-Fi mitigates the risk, as the network is controlled by the mobile device.
Disable Option 121: Disable it on endpoints where possible, keeping in mind that this may disrupt some network connectivity.
Cato Networks is not aware of any malicious exploitation of its ZTNA using this technique.
Details of the attack
When a VPN client operates, it begins by creating an encrypted version of the original packet received from its virtual network interface. This encrypted packet is then encapsulated within the VPN protocol layer, allowing secure communication with the VPN server.
Upon establishing a connection with the VPN server, the VPN client modifies the host's network settings to route all traffic through this secure tunnel.
The Role of DHCP in Network Configuration
DHCP (Dynamic Host Configuration Protocol) plays a critical role in network management by automatically assigning IP addresses and configuring network settings for devices on a network, ensuring seamless connectivity and efficient use of IP address space.
One of the advanced features of DHCP is Option 121, introduced in RFC 3442. Option 121, also known as the “Classless Static Route Option”, allows network administrators to define classless static routes for clients, specifying routes with both the destination subnet and the gateway address. This capability enhances routing flexibility by enabling the precise direction of traffic to specific subnets, improving network efficiency and control. For example, administrators can use Option 121 to route traffic for a particular subnet through a different gateway than the default, optimizing network traffic flow and enhancing security measures by directing traffic through designated security appliances or monitoring systems.
Methods of exploitation
The prerequisite is for an attacker to have his own malicious DHCP server in the network and for targeted users to treat it as the legitimate DHCP.
There are several methods by which an attacker on the same network as the targeted user can position themselves as the DHCP server:
DHCP Starvation Attack: By using a rogue DHCP server to perform a DHCP starvation attack against the legitimate DHCP server, the attacker can exhaust available IP addresses and respond to new clients.
Race Condition Exploitation: The rogue DHCP server can race to respond to DHCPDISCOVER broadcasts, taking advantage of the common client behavior of accepting the first lease offer received.
ARP Spoofing: The attacker can use ARP spoofing to intercept traffic between the legitimate DHCP server and clients, then wait for clients to renew their leases, redirecting them to the rogue DHCP server.
Attack Execution
Once a malicious DHCP is deployed on the same network as the targeted VPN user. The malicious server is configured to use itself as the default gateway. When traffic reaches this gateway, traffic forwarding rules are applied to relay it to the legitimate gateway, allowing traffic to be monitored/inspected while traversing through the malicious server, effectively performing an Adversary-in-the-Middle (AitM) attack.
Utilizing DHCP Option 121
A crucial part of the attack involves leveraging DHCP option 121 to inject custom routes into the VPN user’s routing table. Arbitrary routes can be set, and if needed, multiple routes. By pushing routes more specific than the default /0 CIDR range used by most VPNs, it is ensured that these routes have higher priority than those for the VPN’s virtual interface. For instance, by setting two /1 routes, the attacker can override the 0.0.0.0/0 all-traffic rule set by most VPNs.
Injecting these routes causes network traffic to be directed through the same interface as the rogue DHCP server, bypassing the VPN’s virtual interface. As a result, the traffic routed this way is not encrypted by the VPN and is instead transmitted via the network interface interacting with the DHCP server.
Summary
The "decloaking" technique highlights a vulnerability in VPN applications, allowing attackers to reroute traffic outside the encrypted tunnel. By exploiting DHCP and specifically Option 121, attackers can manipulate routing tables and compromise network security.The attack is not trivial to carry out, especially on well-maintained networks, and does not directly compromise the user, rather putting the attacker in a position to snoop on the traffic, which in most scenarios is already encrypted, e.g. HTTPS/TLS, before passing in the VPN. This discovery underscores the importance of securing DHCP configurations and being vigilant on public networks.
A new critical vulnerability (CVE-2023-34362) has been published by Progress Software in its file transfer application, MOVEit Transfer. A SQL Injection vulnerability was discovered in... Read ›
Cato Protects Against MOVEit vulnerability (CVE-2023-34362) A new critical vulnerability (CVE-2023-34362) has been published by Progress Software in its file transfer application, MOVEit Transfer. A SQL Injection vulnerability was discovered in MOVEit enabling unauthenticated access to MOVEit’s Transfer database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements
Currently, Cato Research Labs is aware of exploitation attempts of CVE-2023-34362 as an initial access vector used by the CLOP ransomware group to gain access to the MOVEit Transfer MFT solution and deliver a web shell ("Human2.aspx") tailored specifically to this product. While details about the web shell have surfaced in the last few days as well as several suspected endpoints involved, the actual SQLi payload and specific details of the injection point have not been made public.
[boxlink link="https://www.catonetworks.com/resources/cato-networks-sase-threat-research-report/"] Cato Networks SASE Threat Research Report H2/2022 | Download the Report [/boxlink]
Cato’s Response
Cato has deployed signatures across the Cato Cloud to prevent uploading or interacting with the web shell. The detect-to-protect time was 3 days and 6 hours for all Cato-connected users worldwide. Furthermore, Cato recommends restricting public access to MOVEit instances only to users protected by Cato security – whether behind a Cato Socket or remote users running the Cato Client.
Currently, Cato Research Labs has found evidence for opportunistic scanners attempting to scan public facing servers for the presence of the web shell (rather than actually exploiting the vulnerability). Scanning public facing servers is a common practice for opportunistic actors, riding the tail of a zero-day campaign.
Cato continues to monitor for further details regarding this CVE and will update our security protections accordingly. Check out the Cato Networks CVE mitigation page where we update regularly.
A new critical vulnerability impacting Microsoft Outlook (CVE-2023-23397) was recently published by Microsoft. The CVE is particularly concerning as no user involvement is required by... Read ›
Cato Protects Against CVE-2023-23397 Exploits A new critical vulnerability impacting Microsoft Outlook (CVE-2023-23397) was recently published by Microsoft. The CVE is particularly concerning as no user involvement is required by the exploit. Once a user receives a malicious calendar invite, the attacker can gain a user’s Active Directory credentials.
Microsoft has released a security update that can be found here. Cato Research strongly encourages updating all relevant systems as proof-of-concept exploits have already appeared online. Until all systems have been updated, Cato customers can rest easy. By default, any Cato-connected endpoint – remote user, site, or any other type of user – is protected from the attacks exploiting the CVE.
What is CVE-2023-23397 and How Does it Work?
CVE-2023-23397 is a critical vulnerability in the Outlook client. An attacker can craft a .MSG file as a e form of a calendar invite that triggers an authentication attempt over the SMB protocol to an attacker-controlled endpoint without any user interaction. (.MSG is the file format used to represent Outlook elements, such email messages, appointments, contacts, and tasks.)
In case the SMB authentication attempt is done using NTLM, the Outlook client will send the attacker a Net-NTLM hash along with the username and domain name. This enables an attacker to perform an offline dictionary-based attack on the hash. The result: revealing the user's password and username that can then be used to authenticate and attack exposed services that rely on active directory credentials. Â
[boxlink link="https://www.catonetworks.com/resources/cato-networks-sase-threat-research-report/"] Cato Networks SASE Threat Research Report H2/2022 | Download the Report [/boxlink]
What is Cato’s Mitigation?
Right upon the exploitation disclosure, Cato’s Security Research team began investigating the CVE. Cato IPS does not inspect the Outlook .MSG elements as that would be out of scope for an IPS system. But the CVE does require an outbound SMB session to exfiltrate data and, by default, Cato’s firewall implements a deny rule, blocking outbound SMB traffic. Only SMB sessions terminating at known, trusted servers should be allowed.
Our team continues to review a dedicated IPS signature to be enforced globally for this threat. It will ensure that potential information leakage, such as the one presented by this CVE, is prevented regardless of their firewall configuration. With hybrid Active Directory setups that extend AD identities to the cloud and may utilize SMB, careful review of the data is required to avoid causing false positives introduced by legitimate usage. Further notice will be provided to Cato customers in forthcoming Release Notes.
