Topic
This article describes CVE-2024-3661, the Tunnelvision VPN vulnerability, and suggests steps you should take to safeguard your ControlOne Network.
Environment
- Cytracom ControlOne
Description
What is Tunnelvision?
Tunnelvision is an attack that exploits DHCP feature (DHCP option 121) to set up additional static routes to the gateway alongside the protected VPN tunnel. Traffic on those routes can be redirected through the attacker to the internet. leaving it vulnerable to identification (decloaking), interception, and tampering.
In a Tunnelvision attack, the VPN's safeguards are never engaged, and no alerts are sent, as no malicious activity occurs within the tunnel.
This attack vector can affect your ControlOne Network. However, it does not exploit any weaknesses in the ControlOne security solution. Rather, it exploits the inherent design of VPN tunnels.
What steps should I take?
There are some steps you can take to protect yourself from this vulnerability:
Run your ControlOne Bridge behind a managed switch
Managed switches provide protection features that detect and prevent rogue DHCP servers from operating on the network. To guard against Tunnelvision, enable these features on the switch:
-
DHCP Snooping + DHCP Guard: Use these features in conjunction with each other.
- DHCP snooping is a series of techniques applied to improve the security of a DHCP infrastructure. DHCP servers allocate IP addresses to clients on a LAN. DHCP snooping can be configured on LAN switches to exclude rogue DHCP servers and remove malicious or malformed DHCP traffic.
- DHCP Guard uses a hardware access control list (ACL) to control the passage of DHCP packets based on a port's trust status (trusted/untrusted). It does not record IP/MAC information to a table. This feature should be used in conjunction with DHCP Snooping.
- Dynamic ARP inspection: Inspects ARP packets on the LAN and compares their MAC and IP address information against the DHCP snooping table. Any ARP packets that don't match the DHCP snooping table are dropped. DAI also verifies that the source IP address matches the sender's MAC address.
- IP Source Guard: Provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming its IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports.
Practice good user habits.
- Only connect to known networks.
- If you are in a location with a public network (such as an airport or a coffee shop), connect to the network through your phone’s LTE Hotspot.
Additional Resources
- Ars Technica: Tunnelvison explanation(external link)
- NIST page on CVE-2024-3661(external link)
Still have questions? Click here to learn how to contact Cytracom Technical Support or open a ticket.