SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2024-3661

CVE-2024-3661: Fortinet FortiClient VPN Leak Vulnerability

CVE-2024-3661 is an information disclosure vulnerability in Fortinet FortiClient that allows attackers to bypass VPN protection and intercept network traffic. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2024-3661 Overview

DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.

Critical Impact

This vulnerability exposes sensitive network traffic, leading to unauthorized access to data that should be protected by VPN.

Affected Products

  • Fortinet Forticlient
  • Cisco AnyConnect VPN Client
  • Palo Alto Networks GlobalProtect

Discovery Timeline

  • 2024-05-06 - CVE-2024-3661 published to NVD
  • 2025-01-15 - Last updated in NVD database

Technical Details for CVE-2024-3661

Vulnerability Analysis

The vulnerability leverages the DHCP classless static route option (121) to manipulate client routing tables. This can cause VPN traffic to divert to unintended networks, exposing data to potential adversaries.

Root Cause

The issue arises from improper handling of DHCP options, which allows unauthorized routes to be added without adequate validation.

Attack Vector

Attackers can exploit this vulnerability from an adjacent network, such as being on the same local area network (LAN).

bash
# Exploitation demonstration with DHCP
sudo dhcpd -cf /etc/dhcp/dhcpd.conf
option rfc3442-classless-static-routes 0, 0, 0, 0, 192, 168, 1, 1;

Detection Methods for CVE-2024-3661

Indicators of Compromise

  • Unexpected routes in routing tables
  • Outgoing traffic bypassing VPNs
  • DHCP logs with unusual route configurations

Detection Strategies

Monitoring DHCP logs for the inclusion of option 121 and auditing routing tables for unauthorized routes can help in early detection.

Monitoring Recommendations

  • Implement network monitoring on DHCP servers
  • Use IDS/IPS solutions to inspect changes in routing tables

How to Mitigate CVE-2024-3661

Immediate Actions Required

  • Disable the processing of option 121 on DHCP clients
  • Audit routing tables for unauthorized entries
  • Implement network segmentation to isolate trusted devices

Patch Information

Please refer to the vendor advisories for specific patch information:

Workarounds

Disabling the acceptance of option 121 in DHCP configurations can mitigate this issue temporarily.

bash
# Disable option 121 in DHCP client configuration
interface eth0
    # Discard all but essential DHCP options
    request subnet-mask, broadcast-address, time-offset, routers, domain-name, domain-name-servers, host-name;

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne