CVE-2024-3661
Publication date 6 May 2024
Last updated 28 July 2025
Ubuntu priority
DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.
Read the notes from the security team
Why is this CVE high priority?
An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| connman | 25.04 plucky | Ignored see notes |
| 24.04 LTS noble | Ignored see notes | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| 16.04 LTS xenial | Ignored see notes | |
| gadmin-openvpn-client | 25.04 plucky | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| 16.04 LTS xenial | Ignored see notes | |
| gadmin-openvpn-server | 25.04 plucky | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| 16.04 LTS xenial | Ignored see notes | |
| golang-github-apparentlymart-go-openvpn-mgmt | 25.04 plucky | Ignored see notes |
| 24.04 LTS noble | Ignored see notes | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| kvpnc | 25.04 plucky | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Ignored see notes | |
| 16.04 LTS xenial | Ignored see notes | |
| libreswan | 25.04 plucky | Ignored see notes |
| 24.04 LTS noble | Ignored see notes | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| mozillavpn | 25.04 plucky | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Not in release | |
| n2n | 25.04 plucky | Ignored see notes |
| 24.04 LTS noble | Ignored see notes | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| 16.04 LTS xenial | Ignored see notes | |
| network-manager-fortisslvpn | 25.04 plucky | Ignored see notes |
| 24.04 LTS noble | Ignored see notes | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| network-manager-iodine | 25.04 plucky | Ignored see notes |
| 24.04 LTS noble | Ignored see notes | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| 16.04 LTS xenial | Ignored see notes | |
| network-manager-l2tp | 25.04 plucky | Ignored see notes |
| 24.04 LTS noble | Ignored see notes | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| network-manager-openconnect | 25.04 plucky | Ignored see notes |
| 24.04 LTS noble | Ignored see notes | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| 16.04 LTS xenial | Ignored see notes | |
| network-manager-openvpn | 25.04 plucky | Ignored see notes |
| 24.04 LTS noble | Ignored see notes | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| 16.04 LTS xenial | Ignored see notes | |
| network-manager-pptp | 25.04 plucky | Ignored see notes |
| 24.04 LTS noble | Ignored see notes | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| 16.04 LTS xenial | Ignored see notes | |
| network-manager-sstp | 25.04 plucky | Ignored see notes |
| 24.04 LTS noble | Ignored see notes | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Not in release | |
| network-manager-strongswan | 25.04 plucky | Ignored see notes |
| 24.04 LTS noble | Ignored see notes | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| 16.04 LTS xenial | Ignored see notes | |
| network-manager-vpnc | 25.04 plucky | Ignored see notes |
| 24.04 LTS noble | Ignored see notes | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| 16.04 LTS xenial | Ignored see notes | |
| openconnect | 25.04 plucky | Ignored see notes |
| 24.04 LTS noble | Ignored see notes | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| 16.04 LTS xenial | Ignored see notes | |
| openfortivpn | 25.04 plucky | Ignored see notes |
| 24.04 LTS noble | Ignored see notes | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| openvpn | 25.04 plucky | Ignored see notes |
| 24.04 LTS noble | Ignored see notes | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| 16.04 LTS xenial | Ignored see notes | |
| 14.04 LTS trusty | Ignored see notes | |
| pptp-linux | 25.04 plucky | Ignored see notes |
| 24.04 LTS noble | Ignored see notes | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| 16.04 LTS xenial | Ignored see notes | |
| pptpd | 25.04 plucky | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| 16.04 LTS xenial | Ignored see notes | |
| 14.04 LTS trusty | Ignored see notes | |
| quicktun | 25.04 plucky | Ignored see notes |
| 24.04 LTS noble | Ignored see notes | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| riseup-vpn | 25.04 plucky | Ignored see notes |
| 24.04 LTS noble | Ignored see notes | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| softether-vpn | 25.04 plucky | Ignored see notes |
| 24.04 LTS noble | Ignored see notes | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Not in release | |
| sshuttle | 25.04 plucky | Ignored see notes |
| 24.04 LTS noble | Ignored see notes | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| 16.04 LTS xenial | Ignored see notes | |
| tinc | 25.04 plucky | Ignored see notes |
| 24.04 LTS noble | Ignored see notes | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| 16.04 LTS xenial | Ignored see notes | |
| vpnc | 25.04 plucky | Ignored see notes |
| 24.04 LTS noble | Ignored see notes | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| 16.04 LTS xenial | Ignored see notes | |
| wireguard | 25.04 plucky | Ignored see notes |
| 24.04 LTS noble | Ignored see notes | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| 16.04 LTS xenial | Ignored see notes |
Notes
rodrigo-zaiden
other VPN softwares may be affected. as of 2024-05-08, there isn't vpn providers reports
mdeslaur
This issue is actually in the way DHCP clients handle the route option. There is no clear solution to this issue as of 2024-05-14, marking all packages are deferred for now.
nic89
This relies on a victim connecting to an untrusted network with a rogue DHCP server via a DHCP client that implements option 121. It can be mitigated by using namespaces on Linux
ebarretto
It can also be mitigated by disabling option 121 in DHCP configuration
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.6 · High
|
| Attack vector | Adjacent |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | Low |
| Availability impact | Low |
| Vector | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L |
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2024-3661
- https://datatracker.ietf.org/doc/html/rfc2131#section-7
- https://datatracker.ietf.org/doc/html/rfc3442#section-7
- https://tunnelvisionbug.com/
- https://www.leviathansecurity.com/research/tunnelvision
- https://news.ycombinator.com/item?id=40279632
- https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/
- https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/
- https://issuetracker.google.com/issues/263721377
- https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision
- https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability
- https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic
- https://news.ycombinator.com/item?id=40284111
- https://www.agwa.name/blog/post/hardening_openvpn_for_def_con