TunnelVision Vulnerability CVE-2024-3661 in VPNs

Posted on 2024-05-11 Edited on 2025-06-24

Recently a new vulnerability is affecting all VPNs which enable snooping user traffic using DHCP’s built-in feature. Dubbed Tunnel Vision or Decloaking. Using this, VPN Kill Switches are never tripped and network connection works normally even without user and app knowledge. This raises safety concerns for journalists or whistle-blower or others who are targeted for surveillance and spyware attacks.

According to Leviathan Security Group, the team who found the exploit believes that the vulnerability dates back to 2002.
Mitigation is available on Linux platform. The strong recommendation involves the following:

The use of namespaces to segment network interfaces and routing tables away from local device’s network.
Ignore Option 121 of DHCP when VPns are active.
Denying all inbound and outbound rules to and from the physical interface using Firewall rules.
Use Hotspot or VM.

The research was conducted by Lizzie Moratti and Dani Cronce. Proof-of-Concept (POC) with video is available at TunnelVision - CVE-2024-3661

Source(s)

Ghacks Article
Youtube Video