TunnelVision (CVE-2024-3661).

A 2024 attack that abuses DHCP option 121 (classless static routes) on an attacker-controlled network to override a VPN's routing table, sending the victim's plaintext traffic outside the encrypted tunnel. サイバーセキュリティの 攻撃と脅威 カテゴリに属します。

A 2024 attack that abuses DHCP option 121 (classless static routes) on an attacker-controlled network to override a VPN's routing table, sending the victim's plaintext traffic outside the encrypted tunnel.

TunnelVision (CVE-2024-3661), disclosed by Leviathan Security in May 2024, is a routing-table attack against VPN clients that works at the DHCP layer rather than against the VPN protocol itself. A malicious or compromised DHCP server (a rogue Wi-Fi network, a hostile coffee-shop router, a captive portal) responds to the victim's DHCP lease with option 121 — classless static routes — injecting routes more specific than the VPN's default. Because most operating systems honor option 121 above VPN routes, traffic destined for the targeted prefixes egresses the physical interface in plaintext, bypassing the encrypted tunnel entirely. The VPN client still shows 'connected', and there is no kill-switch trigger. Affected platforms include Windows, macOS, iOS (partially), most Linux distributions, and the major commercial VPN clients; Android is largely unaffected because it does not implement option 121. Mitigations include ignoring option 121 on untrusted networks, putting the VPN inside a network namespace (Linux), enforcing the VPN as the only allowed interface via firewall rules, or relying on always-on per-app VPN configurations. The CVE prompted urgent advisories from Mullvad, Proton, and most enterprise VPN vendors.

TunnelVision (CVE-2024-3661) に対する防御は通常、上記の定義で述べたとおり、技術的統制と運用上の実践を組み合わせます。

一般的な別名: CVE-2024-3661, DHCP option 121 attack。