Vulnerabilidad en DHCP (CVE-2024-3661)
Gravedad CVSS v3.1:
ALTA
Tipo:
CWE-306
Ausencia de autenticación para una función crítica
Fecha de publicación:
06/05/2024
Última modificación:
15/01/2025
Descripción
Por diseño, el protocolo DHCP no autentica mensajes, incluida, por ejemplo, la opción de ruta estática sin clases (121). Un atacante con la capacidad de enviar mensajes DHCP puede manipular rutas para redirigir el tráfico VPN, lo que le permite leer, interrumpir o posiblemente modificar el tráfico de red que se esperaba que estuviera protegido por la VPN. Muchos, si no la mayoría, de los sistemas VPN basados en enrutamiento IP son susceptibles a este tipo de ataques.
Impacto
Puntuación base 3.x
7.60
Gravedad 3.x
ALTA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:linux:*:* | 6.4.0 (incluyendo) | 7.2.5 (excluyendo) |
| cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:macos:*:* | 6.4.0 (incluyendo) | 7.2.5 (excluyendo) |
| cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:windows:*:* | 6.4.0 (incluyendo) | 7.2.5 (excluyendo) |
| cpe:2.3:a:fortinet:forticlient:7.4.0:*:*:*:*:linux:*:* | ||
| cpe:2.3:a:fortinet:forticlient:7.4.0:*:*:*:*:macos:*:* | ||
| cpe:2.3:a:fortinet:forticlient:7.4.0:*:*:*:*:windows:*:* | ||
| cpe:2.3:a:cisco:anyconnect_vpn_client:-:*:*:*:*:*:*:* | ||
| cpe:2.3:a:cisco:secure_client:-:*:*:*:*:*:*:* | ||
| cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:iphone_os:*:* | ||
| cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:linux:*:* | ||
| cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:macos:*:* | ||
| cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:windows:*:* | ||
| cpe:2.3:a:citrix:secure_access_client:*:*:*:*:*:*:*:* | 24.06.1 (excluyendo) | |
| cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:* |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/
- https://bst.cisco.com/quickview/bug/CSCwk05814
- https://datatracker.ietf.org/doc/html/rfc2131#section-7
- https://datatracker.ietf.org/doc/html/rfc3442#section-7
- https://fortiguard.fortinet.com/psirt/FG-IR-24-170
- https://issuetracker.google.com/issues/263721377
- https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/
- https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic
- https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision
- https://my.f5.com/manage/s/article/K000139553
- https://news.ycombinator.com/item?id=40279632
- https://news.ycombinator.com/item?id=40284111
- https://security.paloaltonetworks.com/CVE-2024-3661
- https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661
- https://tunnelvisionbug.com/
- https://www.agwa.name/blog/post/hardening_openvpn_for_def_con
- https://www.leviathansecurity.com/research/tunnelvision
- https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009
- https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability
- https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/
- https://bst.cisco.com/quickview/bug/CSCwk05814
- https://datatracker.ietf.org/doc/html/rfc2131#section-7
- https://datatracker.ietf.org/doc/html/rfc3442#section-7
- https://fortiguard.fortinet.com/psirt/FG-IR-24-170
- https://issuetracker.google.com/issues/263721377
- https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/
- https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic
- https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision
- https://my.f5.com/manage/s/article/K000139553
- https://news.ycombinator.com/item?id=40279632
- https://news.ycombinator.com/item?id=40284111
- https://security.paloaltonetworks.com/CVE-2024-3661
- https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661
- https://tunnelvisionbug.com/
- https://www.agwa.name/blog/post/hardening_openvpn_for_def_con
- https://www.leviathansecurity.com/research/tunnelvision
- https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/
- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009
- https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability