CVE-2024-3661 - Is Pritunl affected?

The ‘TunnelVision’ vulnerability (CVE-2024-3661) allows the attacker to create their own DHCP server, which will take precedence over the default routing rules through which traffic is sent, receiving all data in transit from the network in an unencrypted manner.

Source: CVE-2024-3661: TunnelVision - How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak — Leviathan Security Group - Penetration Testing, Security Assessment, Risk Advisory

I don’t think this or the similar TunnelCrack from last year are significant issues with VPN servers. These issues are mostly just pointing out fundamental flaws inherent in networking.

With the risk of phishing attacks on internal web applications or internal network traffic getting inadvertently routed off the VPN even if these flaws could be avoided the user could still simply forget to connect to the VPN. If the attacker has sufficient knowledge of the internal network and the user is connected to a compromised internet connection the attacks would still work. The solution to this is to configure internal web applications with valid SSL certificates. With LetsEncrypt this is relatively easy for most configurations. Pritunl Zero could also be used to add both authentication and automatic LetsEncrypt certificates to internal web applications.

Pritunl is mostly focused on corporate use cases and not personal VPN connections to keep internet traffic private or anonymized. Both of these issues do present risks for this use case. If it is critical for the user that all internet traffic go through a VPN connection the VPN client should never be run on the same device. It would be almost impossible to remove all risk of traffic leaking with that configuration. Instead routers such as pfSense can be configured to only route internet traffic through a VPN connection. The computer can than be connected to that router and the router will only route traffic if the VPN connection is active. If there is some flaw that would cause an issue with this configuration it should be fixed on the router. With the VPN connection outside of the device there is no risk of configuration issues on the device causing traffic to leak. This could be done on one device with virtual machines where one virtual machine runs a router and another runs the client operating system.

1 Like