New TunnelVision Attack Explained (May 2024)
ฝัง
- เผยแพร่เมื่อ 19 พ.ค. 2024
- lawrence.video/
TunnelVision (CVE-2024-3661) research write up
www.leviathansecurity.com/blo...
Connecting With Us
---------------------------------------------------
+ Hire Us For A Project: lawrencesystems.com/hire-us/
+ Tom Twitter 🐦 / tomlawrencetech
+ Our Web Site www.lawrencesystems.com/
+ Our Forums forums.lawrencesystems.com/
+ Instagram / lawrencesystems
+ Facebook / lawrencesystems
+ GitHub github.com/lawrencesystems/
+ Discord / discord
Lawrence Systems Shirts and Swag
---------------------------------------------------
►👕 lawrence.video/swag/
AFFILIATES & REFERRAL LINKS
---------------------------------------------------
Amazon Affiliate Store
🛒 www.amazon.com/shop/lawrences...
UniFi Affiliate Link
🛒 store.ui.com?a_aid=LTS
All Of Our Affiliates that help us out and can get you discounts!
🛒 lawrencesystems.com/partners-...
Gear we use on Kit
🛒 kit.co/lawrencesystems
Use OfferCode LTSERVICES to get 10% off your order at
🛒 www.techsupplydirect.com?aff=2
Digital Ocean Offer Code
🛒 m.do.co/c/85de8d181725
HostiFi UniFi Cloud Hosting Service
🛒 hostifi.net/?via=lawrencesystems
Protect you privacy with a VPN from Private Internet Access
🛒 www.privateinternetaccess.com...
Patreon
💰 / lawrencesystems
Chapters
00:00 TunnelVision Attack CVE-2024-3661
01:00 Split Tunnel VPN
02:15 Full Tunnel VPN
03:15 Tunnel-vision attack
04:42 Mitigation for Tunnelvision - วิทยาศาสตร์และเทคโนโลยี
It is actually a useful feature if you know how to use it. Not a bug at all nor should be categorized as a vulnerability in my opinion
@@robyee3325 At the ISP I used work for, we used Option 121 to provide the routes for the Microsoft Mediaroom (IPTV) servers b/c the STB's were all behind the one gateway/router that also provided WiFi and internet. The home modem/router would get a private IP for the video connection (on one VLAN or VPI/VCI) and also an IPv4 public address for regular internet (on another VLAN or VPI/VCI). This was the recommended way by Microsoft and the integrators and is how many ISP's deployed it back in the day (2011-2016). I would assume they are still doing it the same way today for the Mediaroom IPTV solution (whomever owns it now).
Thanks Tom for breaking this down and getting the word out.
Thanks for explaining this. Great job!
Great explanation, thanks Tom! I bought a gli travel router before our last family holiday but didn't take it in the end because I already had a bag full of electronics :)) but I will make room for it next time we travel..
Hey Tom, totally unrelated question, but what software are you using to make those drawings/diagrams? 🙂
lawrence.video/diagrams
@@LAWRENCESYSTEMS awesome, hadn't thought of searching through the vids, thanks!
Thanks Tom
Well, since you brought them up, I'd love to see a good in-depth setup tutorial on configuring travel routers. Most I've seen use the gl-inet hardware with their baked in firmware. It's ok, but it's several versions behind the full opensource version, which doesn't speak highly of staying on top of vulnerabilities. What they *have* done, is optimize the settings to make it much more accessible to the general user -- and the default open source version is anything but user friendly. I'd love to see a tutorial on setting up the devices with the latest open source version and talking through the various configuration options. There's literally nothing out there (that's current). It'd bridge the gap from the other channels like Chris at crosstalk that simply promotes the custom firmware and ignores the potential security issues with that stance. Just a thought.
It's funny that people that use gl-inet hardware are often tinfoil hats. Until recently gl-inet had a Seattle based address that was a USPS PO Box. Now they have a Fairfax, VA based address that looks like a virtual office.
I’m not making any assumptions on what anyone’s views or reasons are for using them. I think there are plenty of valid reasons that have nothing to do with VPNs, security or privacy. I have noticed the same thing with those routers and several other popular brands. That’s exactly why I think it’s a good idea to re-image them with the latest OSS version. It’s not hard, but it’s not user friendly, either. It took me about five tries before I figured out the radio configuration that worked, and even then, the default menus bury important settings. The average user would give up and just reinstall the regular firmware on it, if they didn’t give up and trash the thing to begin with. A solid tutorial for the masses would be a huge service to the masses. Tom’s perspective on it would generate a lot of acceptance, in my opinion.
In the context of this video, the travel router has to do nothing more than be a NAT device between your personal device and the public wi-fi. The "setup" is as simple as connecting your device to your travel router and connecting the travel router to the public wi-fi.
If a feature is found to be a potential security issue then we need a feature to disable it.
I'm sure DHCP client updates are forthcoming.
@Lawrence Systems what did you use to make the animated diagram?
An intern I'm sure
lawrence.video/diagrams
I do my own diagrams and my own stunts!
@@LAWRENCESYSTEMS LOL, fair
Wait...what's the issue? Seems like everything is working as intended.
Could you or someone elaborate on 5:45 ? Should I not be running the VPN client on my travel router?
Running the VPN on a travel router would make it vulnerable to this attack provided the travel router supported that DHCP option
@@LAWRENCESYSTEMS got it, but you mentioned "if you're doing it right" ... Outside of this "attack" , is it generally a bad idea I guess is my question?
Thank you for the video!
@@Emerald13 Outside of this attack it should be fine to use a VPN on a travel router.
Not only can DHCP do this but I'm like 99% sure ICMP itself has a way to "suggest" routes to computers via different gateways. I'm not certain if those can be made gratuitous though.
ICMP Redirect. Most systems ignore this now. It is too easy to forge.
Tom, I think you could have also mentioned that it's not really an issue for overlay networks that tend to poke /32 routes into your routing table.
Also, it's not difficult to remediate. Any VPN client could monitor your routing table for conflicting routes, or any end point protection system could monitor for suspicious routes in DHCP replies.
Depending on the configuration of your DHCP client, an attack like this would be easily identified in your logs.
Trust me, this was reported to VPN vendors before. They just don't consider this to ´fit their model´
@@JLT9150 I would generally agree with them. Similar to Tom, my first reaction was that everything is working as intended. But upon further reflection, I can understand how this might be surprising behavior to someone less accustomed to thinking about routing tables.
I'd say it's more in scope for an endpoint security tool to monitor and warn about weird DHCP routes than a VPN client.
What I love about wireguard is that the IP configurations are statically assigned to the users. Plus wireguard can force all traffic to go through the tunnel which is what I currently have it set at.
I consider this a VPN configuration problem. Why would the VPN not encapsulate that traffic?
Because DHCP adding routes is a feature.
@@LAWRENCESYSTEMS VPN configuration can specify what traffic/destinations/sources it encapsulates. Failure to encapsulate the correct traffic is a vpn configuration problem.
This explanation, to ly understanding, seems at least incomplete.
For this vulnerability to work the DHCP server also has to become the gateway.
Know this vulnerability is extremely easy to execute on non authznticated networks like most public networks, many corporate networks and many private networks.
However. This attack does require to be present on the network as the target which does introduce a challenge.
I use this on my home network to advertise routes to other subnets. Yes, I have multiple subnets at home.
Why would you advertise routes via DHCP?
@@LAWRENCESYSTEMS 1. routes are needed; 2. options: static config on each client, routing protocol, or DHCP; 3. everything does DHCP with no added effort; 4. DHCP puts the config in one place and works for most clients of concern (not the tplink smart gadgets).
The reason routes are needed is because I run multiple subnets with a DMZ, with the sensitive subnets behind another firewall+router. And these days almost nothing respects ICMP Redirect. That worked fine in the 1990s and early 2000s, but "security."
'net connections to primary router with subnets: DMZ, VOIP, smart gadgets, guest wifi, test
On the DMZ: home router, work router. Behind each of those are multiple subnets. Work typically has had multiple routers for development and test, because since 2008 I was doing router and security appliance firmware.
static IP on my pfsense WAN = I'm safe yeah?
Not really an issue there.
Did he explain the vulnerability or not? I think he didn't. Am I stupid?
Or you could just assign the ip staticly once you get it from the dhcp server...
Yes because everyone is to be expected to statically assign IP's to their own devices every time they connect to the VPN. What a genius solution. Can't wait to see the faces of the users at a company where an IT person tries to explain this process they have to do every time they connect on the VPN.
I laughed when I saw the notification for this "vulnerability". It's a nothing burger, unless you put yourself into a position for it to happen.
Shows only you understand very little.
Hi Tom if i understand correctly this routes can be overriden with static dns servers right??? Would this also be a solution???
The point is that it overrides routes and sends the traffic out over the internet instead of over your VPN.
You didn’t understand correctly as your underpinning knowledge is insufficient.
DNS servers are not routes, so no. Simply put, a routing table tells the system how some traffic should flow, DNS servers answer queries about IP-addresses, but has nothing to do with setting up the routing table.
So the solution is Double NAT? Huh
Subnet separation/isolation. The public wi-fi dhcp server doesn't issue any configuration to the clients behind the travel router. You run the VPN on your device as before, not the travel router.
NONE of my VPNs have Internet or ANY routing!
Need to check/secure end-points by forcing their traffic through a funnel?
You are doing it WRONG!
is this why microsoft broke VPNs in a recent windows10/11 update?
Nope, that was their usual bungling of updates.
first
Sounds like all the commercial VPN services like NordVPN just lost a major selling point.