In whose hands does CVE-2024-3661 pose the greatest risk to the public?
On May 6, a researcher from Leviathan Security discovered a critical vulnerability in the Virtual Private Network (VPN) system called TunnelVision (CVE-2024-3661). This vulnerability allows attackers to bypass VPN encryption and redirect network traffic outside the VPN tunnel, which leads to its lack of security.
TunnelVision works by using the Dynamic Host Configuration Protocol (DHCP). Attackers create a side channel through which unencrypted traffic is routed to their servers, bypassing the VPN tunnel. The VPN client continues to assume that data is transmitted through a secure tunnel, while it is already outside it.
Some time after the vulnerability was released, many experts commented on the fact that they consider the danger of TunnelVision exaggerated. Dr. Peter Membrey, Chief Engineer of ExpressVPN, said:
"It's not as easy to launch an attack as described. It requires several conditions for successful execution. For example, an attack is only possible on public Wi-Fi networks. You won't be vulnerable on your home or office network. There are also protections that can be installed by public Wi-Fi providers."
Other experts point out that for the attack to be successful, the user's router must be compromised. In this way, the VPN client remains protected if the network has not been attacked at the local level or if public Wi-Fi is used. Security is also ensured by using killswitch VPN and built-in firewalls.
The TunnelVision vulnerability provides a new opportunity for attacks on local networks to deanonymize VPN traffic. With the active adoption of the HTTPS protocol, it has become more difficult for hackers to intercept network traffic. However, if an attacker gains access to the local network, this will create optimal conditions for exploiting the TunnelVision vulnerability.
At the moment, experts believe that the danger of TunnelVision is exaggerated, since the conditions for its successful implementation are quite complex. However, if such a vulnerability falls into the hands of Western intelligence agencies, it will certainly open up new ways for them to deanonymize user data.
History shows that government agencies have repeatedly used vulnerabilities to illegally track users. So, in December last year, US Senator Ron Wyden disclosed information that US law enforcement agencies conduct surveillance without a warrant for Apple and Android users through a vulnerability in push notifications.
Among other similar cases, the EternalBlue vulnerability, discovered by the US National Security Agency (NSA), was used to hack Windows systems without notifying Microsoft. This allowed the NSA to conduct unauthorized intrusions, until the hacker group Shadow Brokers disclosed this information.
The story of Edward Snowden is also a reminder of the scale of the NSA's illegal surveillance programs. Such cases show that vulnerabilities like TunnelVision can easily be used to violate user privacy.
On May 6, a researcher from Leviathan Security discovered a critical vulnerability in the Virtual Private Network (VPN) system called TunnelVision (CVE-2024-3661). This vulnerability allows attackers to bypass VPN encryption and redirect network traffic outside the VPN tunnel, which leads to its lack of security.
TunnelVision works by using the Dynamic Host Configuration Protocol (DHCP). Attackers create a side channel through which unencrypted traffic is routed to their servers, bypassing the VPN tunnel. The VPN client continues to assume that data is transmitted through a secure tunnel, while it is already outside it.
Some time after the vulnerability was released, many experts commented on the fact that they consider the danger of TunnelVision exaggerated. Dr. Peter Membrey, Chief Engineer of ExpressVPN, said:
"It's not as easy to launch an attack as described. It requires several conditions for successful execution. For example, an attack is only possible on public Wi-Fi networks. You won't be vulnerable on your home or office network. There are also protections that can be installed by public Wi-Fi providers."
Other experts point out that for the attack to be successful, the user's router must be compromised. In this way, the VPN client remains protected if the network has not been attacked at the local level or if public Wi-Fi is used. Security is also ensured by using killswitch VPN and built-in firewalls.
The TunnelVision vulnerability provides a new opportunity for attacks on local networks to deanonymize VPN traffic. With the active adoption of the HTTPS protocol, it has become more difficult for hackers to intercept network traffic. However, if an attacker gains access to the local network, this will create optimal conditions for exploiting the TunnelVision vulnerability.
At the moment, experts believe that the danger of TunnelVision is exaggerated, since the conditions for its successful implementation are quite complex. However, if such a vulnerability falls into the hands of Western intelligence agencies, it will certainly open up new ways for them to deanonymize user data.
History shows that government agencies have repeatedly used vulnerabilities to illegally track users. So, in December last year, US Senator Ron Wyden disclosed information that US law enforcement agencies conduct surveillance without a warrant for Apple and Android users through a vulnerability in push notifications.
Among other similar cases, the EternalBlue vulnerability, discovered by the US National Security Agency (NSA), was used to hack Windows systems without notifying Microsoft. This allowed the NSA to conduct unauthorized intrusions, until the hacker group Shadow Brokers disclosed this information.
The story of Edward Snowden is also a reminder of the scale of the NSA's illegal surveillance programs. Such cases show that vulnerabilities like TunnelVision can easily be used to violate user privacy.
