Cato Networks’ Impact and analysis of CVE-2024-3661 – “TunnelVision”  VPN vulnerability

Listen to post: Getting your Trinity Audio player ready...

On May 6^th, 2024, researchers from the Leviathan Security Group published an article detailing a technique to bypass most VPN applications, assigned as CVE-2024-3661 with a High CVSS score of 7.6. Researchers have labeled this technique ‘decloaking’ as while the VPN tunnel remains connected, it allows attackers to trick many VPN clients into sending traffic via a side channel and not through the encrypted tunnel. Traffic flows through the side channel unencapsulated and can be snooped by an attacker.

The attack requires introducing a rogue DHCP server to the local network. This is not easy on well-maintained networks, that use trust zones and DHCP snooping features to prevent this attack vector. Notably, the threat of an adjacent attacker on the local network is not limited to DHCP alone, untrusted networks may impose various other threats, such as ARP poisoning, LLMNR poisoning, and so on.
In the case presented in the article, the malicious DHCP server poisons the routing table of its neighbor on the local network. Taking advantage of the broadcast nature of DHCP communications, as well as the fact it is UDP based, i.e. little source verification is performed, the fabrication of responses is easily achieved and can be done in various ways.

Specifically, the response sent by the malicious server to a lease request sent on the local network utilizes option 121 [RFC 3442] – allowing the DHCP server to push classless static routes into the neighboring client routing table.

Cato Client impact and recommended actions

The affected operating systems are:

• Windows
• Linux
• MacOS
• iOS

* Android is unaffected by the technique since it does not implement support for DHCP Option 121 altogether.

For recommendations for Windows Client users, see below. We are additionally working on updates to the other affected operating systems and updates will be issued as they become available.

Cato customers using the Windows Client may use a registry key to enable the “Delete Static Routes” feature on the Client, effectively configuring the Client to delete all static routes that are not managed by Cato upon connecting.
The configuration will take effect the next time the Client connects to the Cato cloud. If Always-On is enabled, users may need to bypass Always-On. For more information on how to bypass always on see here.
Also, if there are legitimate reasons for static routes to be present, this configuration may conflict with those routes and should be considered.

Registry key details:
Location – Computer\HKEY_LOCAL_MACHINE\SOFTWARE\CatoNetworksVPN
Name: DeleteStaticRoutes
Value: 1 – (type: DWORD)

The below one-liner can be used as well on Windows or distributed using known methods such as MDM tools or GPO policies.

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\CatoNetworksVPN” /v DeleteStaticRoutes /t REG_DWORD /d 1 /f

To improve security in managed networks or in scenarios involving public or otherwise untrusted networks, these additional recommendations may be used to mitigate the vulnerability:

• Mitigating DHCP attacks on local networks: Admins can enable configurations on network switches such as DHCP Snooping to protect the network from the introduction of a rogue DHCP server.
• Use Cellular Hotspots: Using a cellular network instead of public Wi-Fi mitigates the risk, as the network is controlled by the mobile device.
• Disable Option 121: Disable it on endpoints where possible, keeping in mind that this may disrupt some network connectivity.

Cato Networks is not aware of any malicious exploitation of its ZTNA using this technique.

Details of the attack

When a VPN client operates, it begins by creating an encrypted version of the original packet received from its virtual network interface. This encrypted packet is then encapsulated within the VPN protocol layer, allowing secure communication with the VPN server.

Upon establishing a connection with the VPN server, the VPN client modifies the host’s network settings to route all traffic through this secure tunnel.

The Role of DHCP in Network Configuration

DHCP (Dynamic Host Configuration Protocol) plays a critical role in network management by automatically assigning IP addresses and configuring network settings for devices on a network, ensuring seamless connectivity and efficient use of IP address space.

One of the advanced features of DHCP is Option 121, introduced in RFC 3442. Option 121, also known as the “Classless Static Route Option”, allows network administrators to define classless static routes for clients, specifying routes with both the destination subnet and the gateway address. This capability enhances routing flexibility by enabling the precise direction of traffic to specific subnets, improving network efficiency and control. For example, administrators can use Option 121 to route traffic for a particular subnet through a different gateway than the default, optimizing network traffic flow and enhancing security measures by directing traffic through designated security appliances or monitoring systems.

Methods of exploitation

The prerequisite is for an attacker to have his own malicious DHCP server in the network and for targeted users to treat it as the legitimate DHCP.

There are several methods by which an attacker on the same network as the targeted user can position themselves as the DHCP server:

• DHCP Starvation Attack: By using a rogue DHCP server to perform a DHCP starvation attack against the legitimate DHCP server, the attacker can exhaust available IP addresses and respond to new clients.
• Race Condition Exploitation: The rogue DHCP server can race to respond to DHCPDISCOVER broadcasts, taking advantage of the common client behavior of accepting the first lease offer received.
• ARP Spoofing: The attacker can use ARP spoofing to intercept traffic between the legitimate DHCP server and clients, then wait for clients to renew their leases, redirecting them to the rogue DHCP server.

Attack Execution

Once a malicious DHCP is deployed on the same network as the targeted VPN user. The malicious server is configured to use itself as the default gateway. When traffic reaches this gateway, traffic forwarding rules are applied to relay it to the legitimate gateway, allowing traffic to be monitored/inspected while traversing through the malicious server, effectively performing an Adversary-in-the-Middle (AitM) attack.

Utilizing DHCP Option 121

A crucial part of the attack involves leveraging DHCP option 121 to inject custom routes into the VPN user’s routing table. Arbitrary routes can be set, and if needed, multiple routes. By pushing routes more specific than the default /0 CIDR range used by most VPNs, it is ensured that these routes have higher priority than those for the VPN’s virtual interface. For instance, by setting two /1 routes, the attacker can override the 0.0.0.0/0 all-traffic rule set by most VPNs.

Injecting these routes causes network traffic to be directed through the same interface as the rogue DHCP server, bypassing the VPN’s virtual interface. As a result, the traffic routed this way is not encrypted by the VPN and is instead transmitted via the network interface interacting with the DHCP server.

Summary

The “decloaking” technique highlights a vulnerability in VPN applications, allowing attackers to reroute traffic outside the encrypted tunnel. By exploiting DHCP and specifically Option 121, attackers can manipulate routing tables and compromise network security.
The attack is not trivial to carry out, especially on well-maintained networks, and does not directly compromise the user, rather putting the attacker in a position to snoop on the traffic, which in most scenarios is already encrypted, e.g. HTTPS/TLS, before passing in the VPN. This discovery underscores the importance of securing DHCP configurations and being vigilant on public networks.