Security Vulnerability: CVE-2024-3661: Tunnel Vision

On May 6th, 2024 the Leviathan Security Group published an article detailing a technique to bypass most VPN applications (CVE-2024-3661). The technique lets attackers to trick many VPN clients into sending traffic via a side channel and not through the encrypted tunnel. Traffic flows through the side channel unencapsulated and can be snooped by an attacker. For more information see, the Cato Blog.

Severity

The CVSS score 7.6 (High)

Impact

The impacted Clients are:

  • Windows
  • macOS
  • iOS
  • Linux

To date, Cato is not aware of any malicious exploitation attempts targeting Cato customers.

Resolution

On the Windows Client, use a registry key to enable the "Delete Static Routes" feature. This configures the Client to delete all static routes not managed by Cato.

This takes effect the next time the Client connects to the Cato cloud. If Always-On is enabled, users may need to bypass Always-On. For more information on how to bypass Always-On, see Temporarily Bypassing Secured Internet Access.

You can configure the registry key manually or with an MDM.

To configure the Windows registry manually:

  1. Go to this location in the registry: HKEY_LOCAL_MACHINE\SOFTWARE\CatoNetworksVPN
  2. Define this key: DeleteStaticRoutes=1(DWORD)

To configure the Windows registry with an MDM:

  1. Run this command: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\CatoNetworksVPN" /v DeleteStaticRoutes /t REG_DWORD /d 1 /f

We are working on updates to the other affected operating systems, and these will be issued as they become available.

Additional Recommendations

To improve security in managed networks or in scenarios involving public or otherwise untrusted networks, these additional recommendations can help mitigate the vulnerability:

  • Mitigating DHCP attacks on local networks: Admins can enable configurations on network switches such as DHCP Snooping to protect the network from the introduction of a rogue DHCP server.
  • Use Cellular Hotspots: Using a cellular network instead of public Wi-Fi mitigates the risk, as the network is controlled by the mobile device.
  • Disable Option 121: Disable it on endpoints where possible, keeping in mind that this may disrupt some network connectivity.

 

Was this article helpful?

0 out of 0 found this helpful

0 comments

Add your comment