Beware of rogue DHCP servers hiding your VPN connections • The Register

May 7, 2024 Vaseline stjohnson 0

A newly discovered vulnerability undermines countless VPN clients, as their traffic can be silently diverted out of their encrypted tunnels and intercepted by network snoops.

Dubbed TunnelVision by the brains at Leviathan Security Group who discovered and documented it, the technique (CVE-2024-3661) can cause a VPN user to believe their connection is adequately protected and be routed through an encrypted tunnel as usual. , while an attacker on your network has redirected your connections so they can potentially be inspected.

To make matters worse, the problem is related to DHCP, which means that no matter what VPN is being used or what operating system it is running on: you are probably vulnerable. Unless you’re on Android; More on that later.

“Also, the strength of the encryption algorithm a VPN uses makes no difference,” Leviathan Security noted. “The effect of TunnelVision is independent of the underlying VPN protocol because it reconfigures the operating system networking stack on which the VPN is based.”

Anyone who is able to operate a DHCP server on the same network as someone using a VPN, and get that VPN client’s machine to use that DHCP server, can hide their traffic due to a particular feature in the configuration protocol: the option 121, which allows administrators to add classless static routes to client routing tables.

As Leviathan Security put it, to exploit someone’s VPN client:

Said DHCP server could be on a public network, such as the Wi-Fi at an airport or hotel. That DHCP system could be run by a corrupt network administrator, although the Leviathan team explained how anyone else on the network could set up a DHCP server to undermine VPN clients on that LAN, suggesting the following three scenarios:

Once a bad actor is in a position to issue DHCP leases to a target’s machine, they can use option 121 to force all data (even traffic that is supposed to be destined for a VPN tunnel) through a gateway. link configured by the DHCP server and then read all the traffic they can.

As is always the case with VPN security issues, if a spy intercepts, for example, HTTPS/TLS or SSH encrypted connections, that spy will not be able to easily read the contents of those connections; However, the eavesdropper can access anything that passes in plain text through his tunnel.

“Most users using commercial VPNs send web traffic that is primarily HTTPS,” as Leviathan’s Dani Cronce and Lizzie Moratti put it. “HTTPS traffic looks like gibberish to attackers using TunnelVision. But they know who you’re sending that gibberish to, which can be a problem.”

In Cronce and Moratti’s tests, their VPN software never reported a problem with the connection, and the kill switches that were supposed to activate when VPN routes were interrupted were never activated.

This is not a particularly new topic either. “We… believe that this technique may have been possible as early as 2002 and could have already been discovered and potentially used in the wild,” the duo said, adding that their work is an evolution of the TunnelCrack exploit we covered last year, among others. previous research.

Very public networks

As mentioned above, the type of VPN TunnelVision targets doesn’t really matter, and in all but one case, the operating system doesn’t matter either. Android users are safe because the operating system does not support DHCP option 121.

So what can be done to protect VPN users, who seem quite vulnerable in light of this discovery? That’s complicated.

“TunnelVision does not rely on violating any security properties of the underlying technologies,” the researchers noted. “From our perspective, TunnelVision is how DHCP, routing tables and VPNs should work.”

The only true solution, at least for Linux people, is to enable network namespaces; Everything else is said to be a workaround whose operation is not entirely guaranteed. Manufacturers of non-Linux operating systems are encouraged to implement network namespaces if they have not already done so.

The duo offers some mitigations at the firewall level, but warns that they “create a selective denial of service for traffic using the DHCP path and introduce a side channel.” See previous articles for more details.

If it’s possible to tell your system to ignore the DHCP 121 rule while a VPN is active, that would be a good plan, and Leviathan also recommends using a VPN over a dedicated, password-protected wireless access point for an extra layer of security. His suggestions for VPN users are:

And for VPN providers:

The bottom line is that when using a VPN client on a public or untrusted network with a host machine that supports DHCP option 121, consider avoiding using that option or taking steps to protect the client, such as placing it on your own network. .

“All of the mitigations we’ve looked at still expose a serious problem for users who rely on the complete privacy of their connection, and the problem can also be used for censorship,” Cronce and Moratti said. “We believe (fixing this issue) is a shared responsibility, and the people suffering from this are VPN users.” ®