TunnelVision, an attack method that diverts VPN traffic

TunnelVision: a dangerous attack method

The news was released that it was recently discovered a method which allows an attacker to force a user's traffic out of their VPN tunnel using built-in features of the DHCP protocol.

Baptized under the name of "TunnelVision", this new method of attack allows a victim's traffic to be redirected through an attacker's host (this as long as the attacker has access to the local network or controls a wireless network).

It's important pointing that the idea of ​​local routing change is not new and has been commonly used in attacks aimed at spoofing DNS servers. To mention a similar attack, TunnelCrack, which redirected traffic through a replacement default gateway, the issue affected all tested iOS VPN clients, macOS VPNs, Windows VPNs, Linux VPNs, and Android VPNs.

About TunnelVision

It is mentioned that the essence of TunnelVision is that the attacker can start his own DHCP server and use it to send information to the client in order to change the routing. Specifically, an attacker you can use DHCP option 121, which is designed to transmit information on static routes, to modify the routing table on the victim's machine and direct traffic bypassing the VPN.

The purpose of this research was to test this technique against modern VPN providers to determine their vulnerability and notify the general public about this issue. This is why we agreed with CISA to file a CVE when we disclose to them and why we decided to name the vulnerability.

The redirection It is done by configuring a series of routes for subnets with the prefix /1, which have a higher priority than the default route prefixed with /0. Consequently, instead of the virtual network interface configured for the VPN, traffic will be directed through the physical network interface to the attacker's host on the local network.

Instead of being sent over the VPN, traffic is sent in clear text without tunneling to the attacker's system. This issue affects any VPN client that does not use isolated network namespaces to route traffic to the tunnel or that does not establish packet filtering rules that prohibit routing VPN traffic through existing physical network interfaces.

TunnelVision can be performed on any system that supports DHCP option 121, including Linux, Windows, iOS and macOS, regardless of the VPN protocol used (Wireguard, OpenVPN, IPsec) and the cipher suite used.

It is mentioned that Android is not susceptible to this attack because it does not process option 121 in DHCP. Although the attack allows access to traffic, it does not allow intercepting connections or determining the content transmitted using secure application-level protocols such as TLS and SSH. For example, the attacker cannot determine the content of requests sent over HTTPS, but can understand which servers the requests are being sent to.

To protect against an attack, Several measures can be implemented at the packet filter level: prohibit sending packets addressed to the VPN interface through other network interfaces, block DHCP packets with option 121, use a VPN inside a separate virtual machine or container and isolated from the external network, or use special tunnel configuration modes that use Linux network namespaces.

To replace routes, the use of a specially designed USB key has also been designeda that simulates the operation of a network adapter and, when connected to a computer using DHCP, declares itself as a gateway. Additionally, when there is control of the gateway (for example, when a victim connects to a wireless network controlled by an attacker), a technique has been developed to inject packets into the tunnel that are perceived as coming from the network interface. VPN. Additionally, several scripts have been published to experiment with carrying out these attacks.

finally if you are interested in knowing more about it, you can check the details in the following link


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.