7.6

CVE-2024-3661

Medienbericht
Exploit

DHCP routing options can manipulate interface-based VPN traffic

DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
FortinetFortiClient SwPlatformlinux Version >= 6.4.0 < 7.2.5
FortinetFortiClient SwPlatformmacos Version >= 6.4.0 < 7.2.5
FortinetFortiClient SwPlatformwindows Version >= 6.4.0 < 7.2.5
FortinetFortiClient Version7.4.0 SwPlatformlinux
FortinetFortiClient Version7.4.0 SwPlatformmacos
FortinetFortiClient Version7.4.0 SwPlatformwindows
CiscoSecure Client Version-
PaloaltonetworksGlobalprotect SwPlatformiphone_os
PaloaltonetworksGlobalprotect SwPlatformlinux
PaloaltonetworksGlobalprotect SwPlatformmacos
PaloaltonetworksGlobalprotect SwPlatformwindows
CitrixSecure Access Client Version < 24.06.1
   AppleiPhone OS Version-
   ApplemacOS Version-
CitrixSecure Access Client Version < 24.8.5
   LinuxLinux Kernel Version-
F5Big-ip Access Policy Manager Version >= 7.2.3 <= 7.2.5
F5Big-ip Access Policy Manager Version >= 15.1.0 <= 15.1.10
F5Big-ip Access Policy Manager Version >= 16.1.0 <= 16.1.5
F5Big-ip Access Policy Manager Version >= 17.1.0 <= 17.1.2
WatchguardIpsec Mobile Vpn Client SwPlatformmacos
WatchguardIpsec Mobile Vpn Client SwPlatformwindows
WatchguardMobile Vpn With Ssl SwPlatformmacos
WatchguardMobile Vpn With Ssl SwPlatformwindows
ZscalerClient Connector SwPlatformlinux Version < 1.5.1.25
ZscalerClient Connector SwPlatformmacos Version < 4.2.0.282
ZscalerClient Connector SwPlatformlinux Version >= 3.7 < 3.7.0.134
ZscalerClient Connector Version- SwPlatformwindows
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 4.06% 0.894
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.6 2.8 4.7
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
9119a7d8-5eab-497f-8521-727c672e3725 7.6 2.8 4.7
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

CWE-501 Trust Boundary Violation

The product mixes trusted and untrusted data in the same data structure or structured message.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
09.08.2025 11:36
https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/
Exploit
Press/Media Coverage
https://bst.cisco.com/quickview/bug/CSCwk05814
Third Party Advisory
https://datatracker.ietf.org/doc/html/rfc2131#section-7
Related
https://datatracker.ietf.org/doc/html/rfc3442#section-7
Related
https://fortiguard.fortinet.com/psirt/FG-IR-24-170
Vendor Advisory
https://issuetracker.google.com/issues/263721377
Issue Tracking
https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/
Exploit
Press/Media Coverage
https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic
Issue Tracking
https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision
Third Party Advisory
https://my.f5.com/manage/s/article/K000139553
Vendor Advisory
https://news.ycombinator.com/item?id=40279632
Issue Tracking
https://news.ycombinator.com/item?id=40284111
Issue Tracking
https://security.paloaltonetworks.com/CVE-2024-3661
Vendor Advisory
https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661
Vendor Advisory
https://tunnelvisionbug.com/
Third Party Advisory
Exploit
https://www.agwa.name/blog/post/hardening_openvpn_for_def_con
Related
https://www.leviathansecurity.com/research/tunnelvision
Third Party Advisory
https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/
Exploit
Press/Media Coverage
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009
Vendor Advisory
Mitigation
https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability
Vendor Advisory
Exploit