Brand ClaimErleben, was verbindet

Information on the use of cookies

This website uses only the technically necessary cookies to provide you with the best possible service.
Your session is identified by a so-called session cookie in order to maintain your language choice and to allow a comfortable form use. Furthermore, a login is only possible by using a cookie.
Further information can be found in the data protection information.

Accept

Advisory 2024-0955 - VPN-Clients / DHCP: Vulnerability allows bypassing security measures

Notice: This advisory is by exception shown completely public. You will regularly receive details on vulnerability information as a customer via your login or through our daily advisory e-mail.
4
Attack probability
medium-high
4
Potential damage
medium-high
remote anonymous attackerExploit available
Date
2024-05-07
Release
2025-01-14 UPDATE

Operating System

  • iPhoneOS
  • Linux
  • MacOS X
  • Sonstiges
  • UNIX
  • Windows

Software

  • Apple iOS
  • Apple macOS
  • Microsoft Windows
  • Open Source Linux
  • UPDATE 2024-05-17
  • PaloAlto Networks GlobalProtect app
  • UPDATE 2024-05-21
  • F5 BIG-IP 15.1.0 - 15.1.10
  • F5 BIG-IP 16.1.0 - 16.1.4
  • F5 BIG-IP 17.1.0 - 17.1.1
  • F5 BIG-IP ARM Clients 7.2.3 - 7.2.4
  • UPDATE 2024-06-12
  • Fortinet FortiClient
  • UPDATE 2024-06-25
  • Citrix Systems Citrix Gateway
  • Citrix Systems NetScaler
  • UPDATE 2025-01-13
  • Red Hat Enterprise Linux
  • UPDATE 2025-01-14
  • Oracle Linux

Attack

An attacker from an adjacent network can exploit a vulnerability in VPN-clients running on DHCP-configured devices in order to redirect traffic.

Description

DHCP is the Dynamic Host Configuration Protocol for the automatic configuration of clients in the network.

CVE-2024-3661

A vulnerability exists on systems configured via DHCP in conjunction with VPN implementations. It is caused by DHCP option 121, which can be used to modify routing information. An attacker from an adjacent network can exploit this vulnerability to redirect network traffic that should be protected by the VPN. As a result, the attacker can read and possibly manipulate the traffic and the metadata it contains.

CVSSv2 Base Score: 7.3 / Temporal Score: 6.6
AV:A/AC:L/AU:N/C:C/I:P/A:P/E:POC/RL:U/RC:ND
CVSSv3.1 Base Score: 8.8 / Temporal Score: 8.3
AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L/E:P/RL:U/RC:X

The exploitation of the vulnerability is described in detail on the Internet.

Recommendation

There is currently no update or patch available to fix this vulnerability.
https://github.com/advisories/GHSA-jcv7-6v4q-4m7x

UPDATE 2024-05-17

Palo Alto describes a workaround. For further information please consult the vendor's advisory.
https://security.paloaltonetworks.com/CVE-2024-3661

UPDATE 2024-05-21

From F5, there is currently no update or patch available to fix this vulnerability.
https://my.f5.com/manage/s/article/K000139553

UPDATE 2024-06-12

Fortinet announces an upcoming patch and describes a workaround. For further information please consult the vendor's advisory.
https://fortiguard.fortinet.com/psirt/FG-IR-24-170

UPDATE 2024-06-25

Citrix describes a workaround. For further information please consult the vendor's advisory.
https://support.citrix.com/article/CTX677069

UPDATE 2025-01-13

Red Hat provides updates. Please update your installation and see the vendor's advisory to find the proper version suitable for your environment.
https://access.redhat.com/errata/RHSA-2025:0288

UPDATE 2025-01-14

Oracle Linux provides updates. Please update your installation and see the vendor's advisory to find the proper version suitable for your environment.
http://linux.oracle.com/errata/ELSA-2025-0288.html

Information

GitHub Advisory Database dated 2024-05-06
https://github.com/advisories/GHSA-jcv7-6v4q-4m7x

TunnelVision Website dated 2024-05-06
https://tunnelvisionbug.com

Leviathan Security Blog dated 2024-05-06
https://www.leviathansecurity.com/blog/tunnelvision

UPDATE 2024-05-17

Palo Alto Networks Security Advisories dated 2024-05-16
https://security.paloaltonetworks.com/CVE-2024-3661

UPDATE 2024-05-21

F5 Security Advisory K000139553 dated 2024-05-21
https://my.f5.com/manage/s/article/K000139553

UPDATE 2024-06-12

FortiGuard Labs PSIRT Advisory FG-IR-24-170 dated 2024-06-11
https://fortiguard.fortinet.com/psirt/FG-IR-24-170

UPDATE 2024-06-25

Citrix Security Advisory CTX677069 dated 2024-06-24
https://support.citrix.com/article/CTX677069

Citrix Security Advisory CTX677069 dated 2024-06-24
https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661

UPDATE 2025-01-13

Red Hat Security Advisory RHSA-2025:0288 dated 2025-01-13
https://access.redhat.com/errata/RHSA-2025:0288

UPDATE 2025-01-14

Oracle Linux Security Advisory ELSA-2025-0288 dated 2025-01-14
http://linux.oracle.com/errata/ELSA-2025-0288.html

References

CITRIX:CTX677069
CVE:CVE-2024-3661
F5:K000139553
FORTINET:FG-IR-24-170
GITHUB:GHSA-JCV7-6V4Q-4M7X
ORACLELINUX:ELSA-2025-0288
REDHAT:RHSA-2025:0288
VULNAME:TUNNELVISION

Disclaimer

*The probability of an attack is determined by the attacker's motivation, the necessary expend and the possibilities for an attack. The damage probability is determined by the expend needed to resolute the attack and probable indirect consequences of an attack for business processes. Telekom Security assumes worst case scenarios.

Copyright © 1999-2025 Deutsche Telekom Security GmbH. All rights reserved. Reproduction and distribution of this publication in any form - even in parts - without prior written permission is forbidden.

The information contained herein has been obtained from sources believed to be reliable and trusted or have been verified. Telekom Security can take liability for completeness, accuracy and correctness only in so far, as gross negligence or intention create liability. Any liability beyond it, in particular possible damages resulting from using or non-usability of the information contained herein, is excluded.