TunnelVision Attack (CVE-2024-3661): Decloak Routing-Based VPNs For a Total VPN Leak

Leviathan Security Group has recently discovered a new network technique that poses a serious threat to the security of VPNs. This technique bypasses the VPN encapsulation and pulls the traffic from the VPN tunnel outside of the tunnel by exploiting DHCP (Dynamic Host Configuration Protocol). This means that when packets are transmitted through a VPN, an attacker can intercept and snoop on all the traffic that is being sent, as the packets are never actually encrypted. This is a sophisticated method of cyber attack known as “decloaking,” which can affect VPN providers as well as operating system maintainers, self-hosted VPN admins, and VPN users alike. To understand how this attack works, it is important to have a basic understanding of DHCP servers, VPNs, and Routes/Routing Tables.

Understanding TunnelVision

The attack technique utilizes ‘option 121’. This option overrides the default routing rules of VPN traffic (a way of saying that an attacker can configure the DHCP server’s routing table). These rules are what initiate the encrypted tunnel for traffic. Changing this setting redirects data traffic to the DHCP server, prioritizing the attacker's preferred routes over the VPN. The DHCP server within the attack uses itself as a gateway into the local network of the target. Any traffic diverted through this gateway can be snooped on. 

Fixes and Mitigations Listed by Leviathan Security Group

Leviathan Security Group has identified several solutions to address security concerns. These solutions include using network namespaces to isolate network resources, implementing firewall rules to control network traffic, and utilizing virtual machines or hot spots to create secure computing environments. These measures can help to prevent unauthorized access, mitigate the risk of security breaches, and protect sensitive information. However, these are temporary solutions. 

The Difference between VPNs and Atsign’s Tech

Unlike traditional VPNs, which rely on monitoring for security breaches, Atsign's robust protocol actively prevents unauthorized access. By eliminating vulnerabilities associated with compromised DHCP servers, Atsign ensures your transmissions remain secure from the outset. Any attempt by unknown parties to access your network is immediately terminated, effectively stopping threats before they can even begin.

How does Atsign handle network transmissions with no open ports? 

The following is a brief description of how data is transmitted on Atsign’s Control Plane:

  1. Alice is looking to establish a secure connection with her remote device, @alice_device. 
  2. To initiate this, Alice's client, @alice_client, will first select a socket rendezvous or SR. 
  3. The SR will issue two connection ports to @alice_client by providing the host address and two port numbers. 
  4. This is done through Atsign's control plane, and the information is end-to-end encrypted, ensuring maximum security. 
  5. Next, @alice_client requests a connection to @alice_device and shares one port from the Socket Rendezvous. 
  6. The device, @alice_device, generates a new ephemeral SSH key pair for the session, which is an added layer of security.
  7. @alice_device automatically sends the ephemeral SSH private key to @alice_client, making the process seamless. 
  8. @alice_device then forwards its SSHD port to the SR using Atsign's SSHRV client, providing a secure channel for the connection. 
  9. This enables @alice_client to SSH to the SR using the second port, and the Socket Rendezvous connects both ports issued to @alice_client. 
  10. The SR tunnel created over the connected tunnel through the SR to @alice_device forwards an ephemeral port on @alice_client's localhost to @alice_device's SSHD port. 
  11. Now, the connection is ready, and the application will provide an SSH command to connect over this tunnel, making it easy for Alice to SSH connect to @alice_device. 
  12. Alice has successfully connected to her remote device, @alice_device, securely and efficiently, thanks to the robust system provided by Atsign.

Read more about how NoPorts works, or watch our latest video.

With NoPorts, you can be your own VPN and truly secure your data. Read more on how to be your own VPN after setting up NoPorts on your machines, here.