Security Advisory Detail

CVE-2024-3661 Impact of TunnelVision Vulnerability

Advisory ID
WGSA-2024-00009
CVE
CVE-2024-3661
Impact
High
Status
Acknowledged
Product Family
Other Software
Published Date
Updated Date
Workaround Available
True
CVSS Score
7.6
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Summary

Researchers at Leviathan Security discovered VPN clients that rely on routes to redirect traffic can be forced to leak traffic over the physical interface when the endpoint processes a DHCP option 121 message from a rogue DHCP server. An attacker on the same local network can exploit this vulnerability to divert traffic out of the tunnel, allowing them to disrupt and potentially read or modify unencrypted connections. This vulnerability does not allow an attacker to read encrypted traffic.

The WatchGuard Mobile VPN with SSL and IPSEC Mobile VPN clients for Windows and macOS use the endpoint computer’s route table to direct traffic through the tunnel. Modifications to the endpoint computer's route table, such as those introduced via the scenario described in TunnelVision, could impact VPN traffic routing.

Affected
Product Version Status
WatchGuard Mobile VPN with SSL for Windows All Affected
WatchGuard Mobile VPN with SSL for macOS All Affected
WatchGuard IPSEC Mobile VPN Client for Windows (NCP) All Affected
WatchGuard IPSEC Mobile VPN Client for macOS (NCP) All Affected
Workaround
  • IPSec Mobile VPN: Use the Allow All Traffic Through Tunnel configuration option to route all traffic through the tunnel
  • Mobile VPN with SSL: Use the Force all client traffic through the tunnel configuration option to route all traffic through the tunnel
Advisory Product List
Product Family
Product Branch
Product List
Other Software
SSL VPN
SSL VPN
Other Software
IPSec VPN
IPSec VPN