Advisory: TunnelVision Vulnerability in VPN Clients

Overview

On May 6, 2024, Leviathan Security Group published an article about decloaking VPN traffic using DHCP option 121 (classless route option), dubbed “TunnelVision”. The issue was assigned CVE-2024-3661 with a CVSS v3.1 score of 7.6.

The issue allows an adversarial DHCP server on the local network to route user traffic via the physical network interface to a gateway of the attacker’s choice instead of an established VPN tunnel.

Encrypted traffic, such as HTTPS, remains secure and cannot be decrypted, even if an adversary manipulates the routing.

Mitigations

An update of Sophos Connect Client is not required as the risk of exploitation is very low and easily mitigated by ensuring TLS is used on all services reachable via VPN.

Related information

• https://www.leviathansecurity.com/blog/tunnelvision
• https://nvd.nist.gov/vuln/detail/CVE-2024-3661