CVE-2024-3661

Отчет

This vulnerability is also known as TunnelVision and it describes a technique to use DHCP configuration to manipulate hosts to send traffic to an attacker's host instead of through a VPN, as expected. According to MITRE it is reported as a vulnerability against DHCP. However, the DHCP protocol works as intended and as a protocol without cryptographic protection, attackers do not break a security boundary in the DHCP protocol by using the DHCP option 121. To prevent against the attack vector, users or VPN configuration software need to configure the VPN correctly or use other techniques to avoid that a DHCP configuration manipulates routing decisions for packets intended to be contained in the VPN. This affects only situations where hosts use DHCP in a network and attackers can control a DHCP server. It affects full-tunnel and split-tunnel based VPNs. IPSec policy-based VPNs do not send unencrypted traffic to attackers as they encrypt traffic regardless of the routing decision.

Меры по смягчению последствий

The mitigation steps also ensure that the applications using the VPN cannot access local resources outside the VPN in full-tunnel mode. If access to local resources outside the VPN is needed, additional routing configuration is necessary. The following steps demonstrate how to configure VPN profiles with NetworkManager to prioritize VPN routes over DHCP routes. This uses routing rules with a higher priority than the rule to lookup the main routing table. This means that the VPN routing table is consulted prior to the main routing table. Please note that a higher priority is configured by setting a lower priority value in the routing configuration.

1. There were two bugs in NetworkManager that prevented these steps from working with profiles using VPN plugins, such as libreswan. Therefore first update NetworkManager:

• On RHEL 8.10, use NetworkManager-1.40.16-18.el8_10 or later.
• On RHEL 9.5 and later, use NetworkManager-1.48.10-5.el9_5 or later.

2. In the next steps, you will assign the VPN routes to a dedicated routing table. By default, RHEL does not use the routing tables 1-252, and you can use one of them. If you configured the system to use some of these tables, identify a free routing table number. The following example uses the routing table 75.
3. Optional: Configure a name for the routing table by adding a line, such as the following, to the /etc/iproute2/rt_tables file: 75 vpn This makes the output of ip commands easier to understand. Note that NetworkManager only supports using a table ID and not the table name.
4. Configure the VPN connection profile to place the VPN routes in a dedicated routing table:

nmcli connection modify <VPN_connection_profile> ipv4.route-table <routing_table_number>

For example:

nmcli connection modify "Company VPN" ipv4.route-table 75

5. Set a low priority value for the table you used in the previous command:

nmcli connection modify <VPN_connection_profile> ipv4.routing-rules "priority <low_priority_value> from all table <routing_table_number>"

The priority value can be any value between 1 and 32766 but, the lower the value, the higher the priority! For example:

nmcli connection modify "Company VPN" ipv4.routing-rules "priority 32345 from all table 75"

6. Reconnect the VPN:

nmcli connection down <VPN_connection_profile>

nmcli connection up <VPN_connection_profile>

This only prevents the TunnelVision techniques and possibly related issues regarding IPv4. For IPv6 it might be necessary to repeat the steps for IPv6. If other software than NetworkManager is used to configure a VPN, it might need similar configuration changes to mitigate against TunnelVision.