By exploiting the Dynamic Host Configuration Protocol (DHCP) features deployed in all operating systems, an attacker can divert traffic from the encrypted VPN tunnel, allowing it to be inspected.
DHCP is a network protocol used to assign IP addresses to devices on a local network. In simple terms, it allows a device to automatically obtain an IP address and other network configuration parameters when it connects to a network.
Since 2002, DHCP has had a feature called “option 121”, which allows network administrators to specify routes and add them to a client’s routing table.
The DHCP server can push multiple routes using option 121, and these take precedence over the default routes used by most VPNs. This way, the traffic is sent through the network interface connected to the DHCP server, instead of the VPN tunnel. Option 121 can be used by attackers operating a network they control to manipulate VPN users’ routing tables and force their traffic out of the VPN tunnel.
Importantly, an attack using this method does not activate kill switches or disconnect the user from the VPN, and does not provide any signal that traffic can be diverted. In addition, the attacker can maintain control over the connection, giving uninterrupted access to the data.
Full-tunnel and split-tunnel VPNs are vulnerable.
The vulnerability affects any operating system that implements a DHCP client and supports DHCP option 121 routes. This includes Windows, Linux, iOS, and macOS. Android isn’t affected, as it doesn’t implement option 121 (which is one of the reasons VPNs tend to be less stable on Android, researchers Lizzie Moratti and Dani Cronce of Leviathan Security note in a blog post). Linux users can implement a feature called “network namespaces”, which, depending on the distribution, may not be available by default.
Advice for VPN users
The impact of this vulnerability is significant, especially for journalists, political dissidents, and others who rely on VPNs for privacy and security. Since it has been potentially exploitable since 2002, it may have been used to rip traffic for decades. While HTTPS provides some protection for web browsing, other types of traffic and unencrypted websites leave both the content and destination visible to eavesdroppers.
“VPN users who expect VPNs to protect them on untrusted networks are just as susceptible to the same attacks as if they weren’t using a VPN,” the researchers note on a special site tunnelvisionbug.com, set up to notify users and vendors. the question.
“Fortunately, most users using commercial VPNs send web traffic that is mostly HTTPS (about 85%, actually). HTTPS traffic looks fake to attackers using TunnelVision, but they know who you’re sending this gibberish to , which can be a matter.”
Users might consider running their VPN inside a virtual machine. They should avoid using untrusted networks, to prevent a rogue network from installing routes, and should run an ad blocker to stop cookie tracking. They should also be wary of marketing claims made by VPN vendors, which may exaggerate the security benefits provided.
Ask sellers to be transparent
Mitigating this problem is difficult, as it lies in the operating system functions rather than the VPNs themselves. However, the researchers say, vendors should warn TunnelVision users in their documentation, notify them of any mitigations or fixes for specific operating systems, and be transparent about their limitations.
It is debatable whether TunnelVision should be classified as a vulnerability, they note, “Because TunnelVision does not depend on violating any security properties of the underlying technologies. From our perspective, TunnelVision is how DHCP, routing tables, and VPNs work.
“However, it contradicts VPN providers’ assurances that are commonly referenced in marketing material.”
#TunnelVision #bug #VPNs #blur
Image Source : www.computing.co.uk