CVE-2024-3661: 
Cisco AnyConnect Secure Client vulnerability analysis and mitigation

CVE-2024-3661, also known as TunnelVision, is a vulnerability that affects VPN-based security solutions that rely on routes to redirect traffic. Discovered in May 2024, this vulnerability allows an attacker on the same local network to force VPN traffic to leak over the physical interface. The attack leverages DHCP option 121 (classless static route option) to manipulate routing tables and bypass VPN protection (Leviathan Security, Ars Technica).

The vulnerability exploits how DHCP can add routes to a client's routing table via the classless static route option (121). When a malicious DHCP server sends option 121 routes that are more specific than the VPN's routes, these take precedence in the routing table. This causes traffic to be sent over the physical interface instead of through the VPN tunnel. The attack works because the VPN interface only encrypts packets that are routed through it, not packets that are routed to it. The vulnerability has been assigned a CVSS v3.1 base score of 7.6 (HIGH) (NVD, Fortinet).

When successfully exploited, an attacker can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN. While HTTPS traffic remains encrypted, the attacker can still see metadata such as source and destination addresses. The vulnerability affects most major VPN clients across Windows, macOS, Linux, and iOS platforms. Android is notably unaffected as it does not implement DHCP option 121 (Leviathan Security, Ars Technica).

Several mitigation strategies are available: 1) On Linux systems, using network namespaces provides the most complete protection. 2) Using a cellular hotspot with VPN provides a trusted network connection. 3) Running VPN inside a virtual machine without bridged networking can prevent the attack. 4) For network administrators, enabling DHCP snooping and implementing proper network security controls can help prevent rogue DHCP servers. Android devices are inherently protected as they don't implement DHCP option 121 (Leviathan Security, Zscaler).

The vulnerability has prompted significant discussion in the security community, with many experts noting that this issue challenges the fundamental promises made by VPN providers about security on untrusted networks. VPN providers have begun updating their marketing claims and implementing mitigations. Several major vendors including Mullvad, Fortinet, and Zscaler have acknowledged the vulnerability and released advisories or patches (Mullvad, Register).