TunnelVision attack to neuter VPN traffic (CVE-2024-3661)

[Markass the Worst]

A recently discovered attack named TunnelVision (CVE-2024-3661, archive) means that if you ever used a VPN on a hostile network (like public wifi) it's possible your traffic never went through the VPN and your VPN was useless. The only OS not potentially affected by this attack is Android.

Here's an Ars Technica article on it.

Novel attack against virtually all VPN apps neuters their entire purpose​

(archive)

This private information is unavailable to guests due to policies enforced by third-parties.

Mullvad has stated they are not vulnerable unless you use iOS. (archive)

 

[NaggotFigger]

Oh god, oh fuck. Well, at least that my most important devices are heavily protected. Remember to protect your most cherished devices or it will fuck you in the prostate, Kiwis! Heavily secure your devices or you will cry for the rest of your life.

 

[Historical Strelkov]

Nothing is secure, bro.

 

[Lieutenant Rasczak]

Mullchads stay winning.

 

[Edict of Expulsion]

Makes me wonder if this would affect trying to access clearnet sites over Tor on a hostile network also. Tor uses a SOCKS proxy. So my guess is no. And of course .onion addresses wouldn’t be affected.

Good news for the chinese and NSA up until this was announced.

If anyone was nerdy enough to always disable DHCP and only set static IPs I bet they feel pretty vindicated right now.

Thanks for the heads up

 

[Battlefield42]

lmao. lmfao.

 

[Sneed S. McSneedensen]

Anyone not using pigeons, messages in bottles, and two cans connected by a string are absolute fucking zoomers who deserve to be treated like the Nigger Cattle they are.

Suffer. Suffer, iNTERNET.

 

[bile demon]

The only OS not potentially affected by this attack is Android.

Poorfagbros we just can't stop winning.

 

[Probably An Autist]

The only OS not potentially affected by this attack is Android.

my android phone is literally the only device i ever use public wifi on, winner winner

 

[The Mass Shooter Ron Soye]

lmao. lmfao.

They've made it sound scary but:

• If you used a VPN on your own Wi-Fi network, you're safe (from this one at least).
• Who has been exploited? Probably not you at the grocery store, McD's or public library.
• It's another 20+ year old vuln that MAY have been discovered and used, probably against Iranians or something.

 

[Overly Serious]

Mullchads stay winning.

What would make Mulvad immune to this? It's not an attack that interferes with the VPN itself but stops your device from using the VPN.

Poorfagbros we just can't stop winning.

And fwiw, the reason Android is immune to this is because Android never bothered implementing the full specification and therefore this technique (which has legitimate uses) simply doesn't work on it.

It's another 20+ year old vuln that MAY have been discovered and used, probably against Iranians or something.

I'd be surprised if it hasn't been used. It can be used by any actor that can directly set DNS routing on your device, so basically whatever DHCP server your device connects to. If that's a malicious one at a public WiFi hotspot, it can affect you. In theory, if you're using your ISP's own provided router which they control, then they can use it on you themselves.

The sneakiness of this is that your VPN will still be functioning. But your device will not be sending traffic over it for any targetted IP address range the bad actor chooses. You could detect this by either checking your routing tables before and after (continually) or comparing volume of traffic over your VPN with what you expect to see. But unless you knew to look for it, you wont notice.

 

[WTBOnlineFather]

What would make Mulvad immune to this? It's not an attack that interferes with the VPN itself but stops your device from using the VPN.

Mullvad's client on non-mobile platforms blocks communication with non-Mullvad IPs unless you specifically enable it in settings, it seems.

 

[moocow]

How exactly does this override/neuter tools like Wireguard, which alter the routing table when activated? That alteration happens well after the host interface is brought up and configured, so DHCP has already done its thing.

Also, how could this operate without VPN functionality just stopping? It's a MITM attack, sure, but the claim is "traffic doesn't go through the VPN client," so how would someone under attack not notice they can't reach VPN-only resources? i.e. if I can only reach a stack of AWS EC2 instances via SSH over a Wireguard tunnel, and I'm under attack with this exploit at a hotel, how would I still be able to use the tunnel if the DHCP server "stealing" my traffic doesn't have the private key the remote bastion peer expects?

 

[Lord of the Large Pants]

Okay, so you're being forced to pipe data through a local server, but you'd still need to bust open HTTPS somehow, wouldn't you? A hostile local network would be able to figure out WHERE the traffic is going, but not necessarily the contents. Unless I'm missing something.

It's still not GOOD, but it's not the end of all things.

 

[The Feline Solution]

Poorfagbros we just can't stop winning.

Sweet. Never used a public network in the first place, way too paranoid.

 

[Overly Serious]

Mullvad's client on non-mobile platforms blocks communication with non-Mullvad IPs unless you specifically enable it in settings, it seems.
View attachment 5971902

Wow - that'll do it. Mullchads indeed!

How exactly does this override/neuter tools like Wireguard, which alter the routing table when activated? That alteration happens well after the host interface is brought up and configured, so DHCP has already done its thing.

Also, how could this operate without VPN functionality just stopping? It's a MITM attack, sure, but the claim is "traffic doesn't go through the VPN client," so how would someone under attack not notice they can't reach VPN-only resources? i.e. if I can only reach a stack of AWS EC2 instances via SSH over a Wireguard tunnel, and I'm under attack with this exploit at a hotel, how would I still be able to use the tunnel if the DHCP server "stealing" my traffic doesn't have the private key the remote bastion peer expects?

If Wireguard controls the routing tables then it may be that it isn't affected. Though a comment on Ars said it was, I think they tested it. But as regards the rest of it, it can be selective. So they can choose (by DNS) what traffic they intercept and nothing stops them forwarding it on. This isn't an attack that breaks VPNs, it doesn't mean they can eavesdrop on your company VPN. What it is, is an attack on people who use VPNs for general privacy to prevent others seeing what sites they're visiting and those sites from seeing where they're coming from. The interceptor knows both.

Okay, so you're being forced to pipe data through a local server, but you'd still need to bust open HTTPS somehow, wouldn't you? A hostile local network would be able to figure out WHERE the traffic is going, but not necessarily the contents. Unless I'm missing something.

It's still not GOOD, but it's not the end of all things.

You're not missing anything. This isn't a way of spying on the contents of an end to end VPN like a company one. It's a way of stopping people using a VPN to hide who they are / what they're visiting on regular public sites. Like Kiwifarms.

 

[Lord of the Large Pants]

You're not missing anything. This isn't a way of spying on the contents of an end to end VPN like a company one. It's a way of stopping people using a VPN to hide who they are / what they're visiting on regular public sites. Like Kiwifarms.

Well, okay. I connect to a hostile wifi at Mcdonald's and they see I connected to Kiwifarms. And they have, er... what, exactly? My MAC address? Which they can do what with? It's a unique(ish) ID, but not one easily connected to a person.

I guess maybe this would be slightly worse at (say) a hotel where they could connect it to a room number and an individual. But still. It's not ideal, but it's pretty limited in scope.

 

[Johnny Salami]

my android phone is literally the only device i ever use public wifi on, winner winner

Same. I rarely if ever only use my desktop for work, torrent, zoom lectures (I use my phone when i just have to listen in)

 

[Overly Serious]

Well, okay. I connect to a hostile wifi at Mcdonald's and they see I connected to Kiwifarms. And they have, er... what, exactly? My MAC address? Which they can do what with? It's a unique(ish) ID, but not one easily connected to a person.

I guess maybe this would be slightly worse at (say) a hotel where they could connect it to a room number and an individual. But still. It's not ideal, but it's pretty limited in scope.

Perhaps. You are correct that it's not breaking into the actual VPN you have to your workplace or similar. But the fact is that a lot of people use VPNs specifically for this purposes of getting some measure of privacy. Especially on public networks. It's a significant market for VPN companies I think, it's not all about watching Netflix abroad. So it can be a big deal for some. Especially as countries get more censorious. Bongland locks people up for "hate speech" and Canada wants to lock people up for it retroactively! Your viewing history can be used against you in some places.

I still think this matters and it's good that people know about it.

 

[vomitusdeux]

So THAT'S why my ISP is throttling me. They know i'm on the dang dirty kiwifarms.