GHSA-hqmp-g7ph-x543: 
Rust vulnerability analysis and mitigation

TunnelVision (CVE-2024-3661) is a novel decloaking technique affecting routing-based VPNs, discovered and disclosed on May 6, 2024. This vulnerability allows attackers to inject entries into routing tables of victims using DHCP option 121, effectively bypassing VPN connections. The vulnerability affects nearly all VPN implementations and is particularly concerning as it maintains the VPN control channel, meaning kill switches are never triggered and users continue to show as connected (Leviathan Blog).

The vulnerability exploits DHCP option 121 to inject routes that take precedence over VPN routing rules. When an attacker controls a DHCP server on the same network as the target, they can push routes that are more specific than the typical /0 CIDR range used by VPNs, resulting in traffic being sent over the physical interface instead of the VPN tunnel. The vulnerability has a CVSS score of 5.3 (Moderate) with metrics indicating Adjacent attack vector, High attack complexity, No privileges required, and No user interaction needed (GitHub Advisory).

The vulnerability affects all users of routing-based VPNs on supported operating systems including Windows, Linux, iOS, and MacOS, with Android being notably unaffected due to lack of DHCP option 121 support. When exploited, the attack allows traffic to bypass VPN encryption entirely, potentially exposing sensitive data while maintaining the appearance of an active VPN connection (Leviathan Blog).

Several mitigation strategies have been identified: implementing network namespaces on Linux systems, using firewall rules to deny all inbound and outbound traffic to/from the physical interface (with exceptions for DHCP and VPN server IPs), disabling DHCP option 121 in the DHCP client, or using a hot spot or VM with non-bridged network adapter. However, each mitigation has its own limitations and potential side effects (Leviathan Blog).