.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Informational
Advisory: TunnelVision Vulnerability in VPN Clients
CVE(S)
CVE-2024-3661
PRODUCT(S)
Sophos Connect Client 2.0
Updated
2024 Jun 10
Article Version
1
First Published
2024 Jun 10
Publication ID
sophos-sa-20240610-tunnelvision
Workaround
Yes
Overview
On May 6, 2024, Leviathan Security Group published an article about decloaking VPN traffic using DHCP option 121 (classless route option), dubbed “TunnelVision”. The issue was assigned CVE-2024-3661 with a CVSS v3.1 score of 7.6.
The issue allows an adversarial DHCP server on the local network to route user traffic via the physical network interface to a gateway of the attacker’s choice instead of an established VPN tunnel.
Encrypted traffic, such as HTTPS, remains secure and cannot be decrypted, even if an adversary manipulates the routing.
Mitigations
An update of Sophos Connect Client is not required as the risk of exploitation is very low and easily mitigated by ensuring TLS is used on all services reachable via VPN.
Related information
Sophos Responsible Disclosure Policy
To learn about Sophos security vulnerability disclosure policies and publications, see the Responsible Disclosure Policy.