PSIRTTunnelVision - CVE-2024-3661
Summary
Fortinet is aware of the recent publication of the TunnelVision vulnerability (CVE-2024-3661).
The research [1] identified a technique to bypass the use of protected VPN tunnels when clients connect via untrusted network, such as rogue Wi-Fi network.
This attack may allow an attacker controlled DHCP server on the same network as the targeted user to reroute VPN traffic by setting more specific routes than VPN's on target’s routing table.
Note that this technique does not allow decrypting HTTPS traffic but rather allows to redirect the traffic through attacker controlled channels before the traffic is encrypted by the VPN.
| Version | Affected | Solution |
|---|---|---|
| FortiClientLinux 7.4 | 7.4.0 | Upgrade to 7.4.1 or above |
| FortiClientLinux 7.2 | 7.2.0 through 7.2.4 | Upgrade to 7.2.5 or above |
| FortiClientLinux 7.0 | 7.0 all versions | Migrate to a fixed release |
| FortiClientLinux 6.4 | 6.4 all versions | Migrate to a fixed release |
| FortiClientMac 7.4 | 7.4.0 | Upgrade to 7.4.1 or above |
| FortiClientMac 7.2 | 7.2.0 through 7.2.4 | Upgrade to 7.2.5 or above |
| FortiClientMac 7.0 | 7.0 all versions | Migrate to a fixed release |
| FortiClientMac 6.4 | 6.4 all versions | Migrate to a fixed release |
| FortiClientWindows 7.4 | 7.4.0 | Upgrade to 7.4.1 or above |
| FortiClientWindows 7.2 | 7.2.0 through 7.2.4 | Upgrade to 7.2.5 or above |
| FortiClientWindows 7.0 | 7.0 all versions | Migrate to a fixed release |
| FortiClientWindows 6.4 | 6.4 all versions | Migrate to a fixed release |
Solutions:
FortiClientWindows:
SSL-VPN Full Tunnel with 'exclusive-routing' enabled is unaffected.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enabling-SSL-VPN-Full-Tunnel/ta-p/191848
FortiOS site-to-site VPN:
FortiOS may be affected when it is configured as a DHCP client on the interface that is connected to the rogue DHCP server, and the 'dhcp-classless-route-addition' setting is enabled.
To disable it, enter the following command:config system interface
edit <port>
set dhcp-classless-route-addition disable
end
With this setting disabled, FortiOS does not process the DHCP option 121 and is therefore unaffected. The default value may differ between models.
Workarounds:
Avoid connecting to potentially unsafe Wi-Fi network.
Mitigations:
With an IPSec VPN Full-Tunnel, attempts to reroute traffic with this technique will result in the FortiGate firewall policies dropping the packets not coming from the VPN tunnel interface before they reach the attacker controlled channel. Ensure that enable_local_lan is set to 0.
Timeline
2024-06-11: Initial publication
References
- TunnelVision by Leviathan Security Group
- [1] https://www.leviathansecurity.com/blog/tunnelvision