CVE-2024-3661

HIGH EPSS 89.4%
Published May 6, 20242y ago · Modified Jun 17, 20262w ago
7.6 CVSS 3.1
High
Find Similar
Published May 6, 2024 2y ago
Last Modified Jun 17, 2026 2w ago

Description

DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.

CVSS Details

Base Score
7.6
Exploitability
2.8
Impact
4.7
Vector string
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Attack Vector Adjacent
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Low
Availability Low

Threat Intelligence

EPSS Exploit Probability
89.4% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 2

CWE-306 Missing Authentication for Critical Function Authentication
CWE-501

Affected Products 29

VendorProductVersionRange
fortinetforticlient*≥6.4.0  –  <7.2.5
fortinetforticlient*≥6.4.0  –  <7.2.5
fortinetforticlient*≥6.4.0  –  <7.2.5
fortinetforticlient7.4.0any
fortinetforticlient7.4.0any
fortinetforticlient7.4.0any
ciscoanyconnect_vpn_client*any
ciscosecure_client*any
paloaltonetworksglobalprotect*any
paloaltonetworksglobalprotect*any
paloaltonetworksglobalprotect*any
paloaltonetworksglobalprotect*any
citrixsecure_access_client* <24.06.1
appleiphone_os*any
applemacos*any
citrixsecure_access_client* <24.8.5
linuxlinux_kernel*any
f5big-ip_access_policy_manager*≥7.2.3  –  ≤7.2.5
f5big-ip_access_policy_manager*≥15.1.0  –  ≤15.1.10
f5big-ip_access_policy_manager*≥16.1.0  –  ≤16.1.5
f5big-ip_access_policy_manager*≥17.1.0  –  ≤17.1.2
watchguardipsec_mobile_vpn_client*any
watchguardipsec_mobile_vpn_client*any
watchguardmobile_vpn_with_ssl*any
watchguardmobile_vpn_with_ssl*any
zscalerclient_connector* <1.5.1.25
zscalerclient_connector* <4.2.0.282
zscalerclient_connector*≥3.7  –  <3.7.0.134
zscalerclient_connector*any

References 20

  • arstechnica.com https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/
    ExploitPress/Media Coverage
  • bst.cisco.com https://bst.cisco.com/quickview/bug/CSCwk05814
    Third Party AdvisoryVendor Advisory
  • datatracker.ietf.org https://datatracker.ietf.org/doc/html/rfc2131#section-7
    Related
  • datatracker.ietf.org https://datatracker.ietf.org/doc/html/rfc3442#section-7
    Related
  • fortiguard.fortinet.com https://fortiguard.fortinet.com/psirt/FG-IR-24-170
    Vendor Advisory
  • issuetracker.google.com https://issuetracker.google.com/issues/263721377
    Issue Tracking
  • krebsonsecurity.com https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/
    ExploitPress/Media Coverage
  • lowendtalk.com https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic
    Issue Tracking
  • mullvad.net https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision
    Third Party Advisory
  • my.f5.com https://my.f5.com/manage/s/article/K000139553
    Vendor Advisory
  • news.ycombinator.com https://news.ycombinator.com/item?id=40279632
    Issue Tracking
  • news.ycombinator.com https://news.ycombinator.com/item?id=40284111
    Issue Tracking
  • security.paloaltonetworks.com https://security.paloaltonetworks.com/CVE-2024-3661
    Vendor Advisory
  • support.citrix.com https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661
    Vendor Advisory
  • tunnelvisionbug.com https://tunnelvisionbug.com/
    ExploitThird Party Advisory
  • agwa.name https://www.agwa.name/blog/post/hardening_openvpn_for_def_con
    Related
  • leviathansecurity.com https://www.leviathansecurity.com/research/tunnelvision
    Third Party Advisory
  • theregister.com https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/
    ExploitPress/Media Coverage
  • watchguard.com https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009
    MitigationThird Party AdvisoryVendor Advisory
  • zscaler.com https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability
    ExploitThird Party AdvisoryVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.