CVE-2024-3661 Impact of TunnelVision Vulnerability
Researchers at Leviathan Security discovered VPN clients that rely on routes to redirect traffic can be forced to leak traffic over the physical interface when the endpoint processes a DHCP option 121 message from a rogue DHCP server. An attacker on the same local network can exploit this vulnerability to divert traffic out of the tunnel, allowing them to disrupt and potentially read or modify unencrypted connections. This vulnerability does not allow an attacker to read encrypted traffic.
The WatchGuard Mobile VPN with SSL and IPSEC Mobile VPN clients for Windows and macOS use the endpoint computer’s route table to direct traffic through the tunnel. Modifications to the endpoint computer's route table, such as those introduced via the scenario described in TunnelVision, could impact VPN traffic routing.
| Product | Version | Status |
|---|---|---|
| WatchGuard Mobile VPN with SSL for Windows | All | Affected |
| WatchGuard Mobile VPN with SSL for macOS | All | Affected |
| WatchGuard IPSEC Mobile VPN Client for Windows (NCP) | All | Affected |
| WatchGuard IPSEC Mobile VPN Client for macOS (NCP) | All | Affected |
- IPSec Mobile VPN: Use the Allow All Traffic Through Tunnel configuration option to route all traffic through the tunnel
- Mobile VPN with SSL: Use the Force all client traffic through the tunnel configuration option to route all traffic through the tunnel