Vulnerability Description
DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fortinet | Forticlient | >= 6.4.0, < 7.2.5 |
| Cisco | Anyconnect Vpn Client | - |
| Cisco | Secure Client | - |
| Paloaltonetworks | Globalprotect | All versions |
| Citrix | Secure Access Client | < 24.06.1 |
| Apple | Iphone Os | - |
| Apple | Macos | - |
| Linux | Linux Kernel | - |
| F5 | Big-Ip Access Policy Manager | >= 7.2.3, <= 7.2.5 |
| Watchguard | Ipsec Mobile Vpn Client | All versions |
| Watchguard | Mobile Vpn With Ssl | All versions |
| Zscaler | Client Connector | < 1.5.1.25 |
Related Weaknesses (CWE)
References
- https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-ExploitPress/Media Coverage
- https://bst.cisco.com/quickview/bug/CSCwk05814Third Party AdvisoryVendor Advisory
- https://datatracker.ietf.org/doc/html/rfc2131#section-7Related
- https://datatracker.ietf.org/doc/html/rfc3442#section-7Related
- https://fortiguard.fortinet.com/psirt/FG-IR-24-170Vendor Advisory
- https://issuetracker.google.com/issues/263721377Issue Tracking
- https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claiExploitPress/Media Coverage
- https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-networkIssue Tracking
- https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvisionThird Party Advisory
- https://my.f5.com/manage/s/article/K000139553Vendor Advisory
- https://news.ycombinator.com/item?id=40279632Issue Tracking
- https://news.ycombinator.com/item?id=40284111Issue Tracking
- https://security.paloaltonetworks.com/CVE-2024-3661Vendor Advisory
- https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisVendor Advisory
- https://tunnelvisionbug.com/ExploitThird Party Advisory
FAQ
What is CVE-2024-3661?
CVE-2024-3661 is a vulnerability with a CVSS score of 7.6 (HIGH). DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the...
How severe is CVE-2024-3661?
CVE-2024-3661 has been rated HIGH with a CVSS base score of 7.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-3661?
Check the references section above for vendor advisories and patch information. Affected products include: Fortinet Forticlient, Cisco Anyconnect Vpn Client, Cisco Secure Client, Paloaltonetworks Globalprotect, Citrix Secure Access Client.