Advisory 2024-0955 - VPN-Clients / DHCP: Vulnerability allows bypassing security measures

Operating System

• iPhoneOS
• Linux
• MacOS X
• Sonstiges
• UNIX
• Windows

Software

• Apple iOS
• Apple macOS
• Microsoft Windows
• Open Source Linux
• UPDATE 2024-05-17
• PaloAlto Networks GlobalProtect app
• UPDATE 2024-05-21
• F5 BIG-IP 15.1.0 - 15.1.10
• F5 BIG-IP 16.1.0 - 16.1.4
• F5 BIG-IP 17.1.0 - 17.1.1
• F5 BIG-IP ARM Clients 7.2.3 - 7.2.4
• UPDATE 2024-06-12
• Fortinet FortiClient
• UPDATE 2024-06-25
• Citrix Systems Citrix Gateway
• Citrix Systems NetScaler
• UPDATE 2025-01-13
• Red Hat Enterprise Linux
• UPDATE 2025-01-14
• Oracle Linux

Attack

An attacker from an adjacent network can exploit a vulnerability in VPN-clients running on DHCP-configured devices in order to redirect traffic.

Description

DHCP is the Dynamic Host Configuration Protocol for the automatic configuration of clients in the network.

A vulnerability exists on systems configured via DHCP in conjunction with VPN implementations. It is caused by DHCP option 121, which can be used to modify routing information. An attacker from an adjacent network can exploit this vulnerability to redirect network traffic that should be protected by the VPN. As a result, the attacker can read and possibly manipulate the traffic and the metadata it contains.

Recommendation

There is currently no update or patch available to fix this vulnerability.
https://github.com/advisories/GHSA-jcv7-6v4q-4m7x

UPDATE 2024-05-17

Palo Alto describes a workaround. For further information please consult the vendor's advisory.
https://security.paloaltonetworks.com/CVE-2024-3661

UPDATE 2024-05-21

From F5, there is currently no update or patch available to fix this vulnerability.
https://my.f5.com/manage/s/article/K000139553

UPDATE 2024-06-12

Fortinet announces an upcoming patch and describes a workaround. For further information please consult the vendor's advisory.
https://fortiguard.fortinet.com/psirt/FG-IR-24-170

UPDATE 2024-06-25

Citrix describes a workaround. For further information please consult the vendor's advisory.
https://support.citrix.com/article/CTX677069

UPDATE 2025-01-13

Red Hat provides updates. Please update your installation and see the vendor's advisory to find the proper version suitable for your environment.
https://access.redhat.com/errata/RHSA-2025:0288

UPDATE 2025-01-14

Oracle Linux provides updates. Please update your installation and see the vendor's advisory to find the proper version suitable for your environment.
http://linux.oracle.com/errata/ELSA-2025-0288.html

Information

GitHub Advisory Database dated 2024-05-06
https://github.com/advisories/GHSA-jcv7-6v4q-4m7x

TunnelVision Website dated 2024-05-06
https://tunnelvisionbug.com

Leviathan Security Blog dated 2024-05-06
https://www.leviathansecurity.com/blog/tunnelvision

Palo Alto Networks Security Advisories dated 2024-05-16
https://security.paloaltonetworks.com/CVE-2024-3661

F5 Security Advisory K000139553 dated 2024-05-21
https://my.f5.com/manage/s/article/K000139553

FortiGuard Labs PSIRT Advisory FG-IR-24-170 dated 2024-06-11
https://fortiguard.fortinet.com/psirt/FG-IR-24-170

Citrix Security Advisory CTX677069 dated 2024-06-24
https://support.citrix.com/article/CTX677069

Citrix Security Advisory CTX677069 dated 2024-06-24
https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661

Red Hat Security Advisory RHSA-2025:0288 dated 2025-01-13
https://access.redhat.com/errata/RHSA-2025:0288

Oracle Linux Security Advisory ELSA-2025-0288 dated 2025-01-14
http://linux.oracle.com/errata/ELSA-2025-0288.html