CVE-2024-3661 Overview
DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.
Critical Impact
This vulnerability exposes sensitive network traffic, leading to unauthorized access to data that should be protected by VPN.
Affected Products
- Fortinet Forticlient
- Cisco AnyConnect VPN Client
- Palo Alto Networks GlobalProtect
Discovery Timeline
- 2024-05-06 - CVE-2024-3661 published to NVD
- 2025-01-15 - Last updated in NVD database
Technical Details for CVE-2024-3661
Vulnerability Analysis
The vulnerability leverages the DHCP classless static route option (121) to manipulate client routing tables. This can cause VPN traffic to divert to unintended networks, exposing data to potential adversaries.
Root Cause
The issue arises from improper handling of DHCP options, which allows unauthorized routes to be added without adequate validation.
Attack Vector
Attackers can exploit this vulnerability from an adjacent network, such as being on the same local area network (LAN).
# Exploitation demonstration with DHCP
sudo dhcpd -cf /etc/dhcp/dhcpd.conf
option rfc3442-classless-static-routes 0, 0, 0, 0, 192, 168, 1, 1;
Detection Methods for CVE-2024-3661
Indicators of Compromise
- Unexpected routes in routing tables
- Outgoing traffic bypassing VPNs
- DHCP logs with unusual route configurations
Detection Strategies
Monitoring DHCP logs for the inclusion of option 121 and auditing routing tables for unauthorized routes can help in early detection.
Monitoring Recommendations
- Implement network monitoring on DHCP servers
- Use IDS/IPS solutions to inspect changes in routing tables
How to Mitigate CVE-2024-3661
Immediate Actions Required
- Disable the processing of option 121 on DHCP clients
- Audit routing tables for unauthorized entries
- Implement network segmentation to isolate trusted devices
Patch Information
Please refer to the vendor advisories for specific patch information:
Workarounds
Disabling the acceptance of option 121 in DHCP configurations can mitigate this issue temporarily.
# Disable option 121 in DHCP client configuration
interface eth0
# Discard all but essential DHCP options
request subnet-mask, broadcast-address, time-offset, routers, domain-name, domain-name-servers, host-name;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
