TunnelVision - CVE-2024-3661

Summary

Fortinet is aware of the recent publication of the TunnelVision vulnerability (CVE-2024-3661).


The research [1] identified a technique to bypass the use of protected VPN tunnels when clients connect via untrusted network, such as rogue Wi-Fi network.


This attack may allow an attacker controlled DHCP server on the same network as the targeted user to reroute VPN traffic by setting more specific routes than VPN's on target’s routing table.


Note that this technique does not allow decrypting HTTPS traffic but rather allows to redirect the traffic through attacker controlled channels before the traffic is encrypted by the VPN.

Version Affected Solution
FortiClientLinux 7.4 7.4.0 Upgrade to upcoming 7.4.1 or above
FortiClientLinux 7.2 7.2.0 through 7.2.4 Upgrade to upcoming 7.2.5 or above
FortiClientLinux 7.0 7.0 all versions Migrate to a fixed release
FortiClientLinux 6.4 6.4 all versions Migrate to a fixed release
FortiClientMac 7.4 7.4.0 Upgrade to upcoming 7.4.1 or above
FortiClientMac 7.2 7.2.0 through 7.2.4 Upgrade to upcoming 7.2.5 or above
FortiClientMac 7.0 7.0 all versions Migrate to a fixed release
FortiClientMac 6.4 6.4 all versions Migrate to a fixed release
FortiClientWindows 7.4 7.4.0 Upgrade to upcoming 7.4.1 or above
FortiClientWindows 7.2 7.2.0 through 7.2.4 Upgrade to upcoming 7.2.5 or above
FortiClientWindows 7.0 7.0 all versions Migrate to a fixed release
FortiClientWindows 6.4 6.4 all versions Migrate to a fixed release

Solutions:


FortiClientWindows:
SSL-VPN Full Tunnel with 'exclusive-routing' enabled is unaffected. Note that application-based split tunneling takes precedence and disables exclusive-routing.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enabling-SSL-VPN-Full-Tunnel/ta-p/191848


FortiOS site-to-site VPN:


FortiOS may be affected when it is configured as a DHCP client on the interface that is connected to the rogue DHCP server, and the 'dhcp-classless-route-addition' setting is enabled.
To disable it, enter the following command:
config system interface
edit <port>
set dhcp-classless-route-addition disable
end


With this setting disabled, FortiOS does not process the DHCP option 121 and is therefore unaffected. The default value may differ between models.


Workarounds:


Avoid connecting to potentially unsafe Wi-Fi network.


Mitigations:


With an IPSec VPN Full-Tunnel, attempts to reroute traffic with this technique will result in the FortiGate firewall policies dropping the packets not coming from the VPN tunnel interface before they reach the attacker controlled channel. Ensure that enable_local_lan is set to 0.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPSec-dial-up-full-tunnel-with-FortiClient/ta-p/189452
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Impossible-to-access-local-area-network-of-the/ta-p/244482

Timeline

2024-06-11: Initial publication
2024-06-17: Update solution versions

References