Summary:
A new vulnerability, CVE-2024-3661, exposes a flaw in how VPNs rely on routing rules for security. By abusing DHCP’s _classless static route option_ (option 121), attackers can force traffic meant for the VPN to leak onto the local network. This post breaks down the bug, shows you how it works with code, and explains why it’s a big deal for anyone using VPN-based security.
What’s the Problem?
Dynamic Host Configuration Protocol (DHCP) is what gives your device an IP address when you connect to a network. But it can do more. Through option 121, DHCP servers can push custom routing rules straight to your computer.
Some VPNs rely on routing rules to send all traffic through the secure VPN interface (like tun). But if your machine trusts the DHCP server on the local network, someone on the same Wi-Fi (like in a coffee shop) can use this option to add routes that bypass the VPN, silently leaking your data.
Attacker sets up a rogue DHCP server on shared network (e.g., Wi-Fi)
- DHCP hands out a route that sends certain traffic (like banking sites or cloud services) over the local interface, not the VPN
Enterprise setups using route-based VPN security
- OSes and VPN clients that trust all DHCP options by default (Linux, Windows, macOS, and some mobile platforms)
Explaining Classless Static Route Option (121)
A DHCP server can reply with Option 121 to inject new routes to your computer. In effect, it says: “For this destination, use this gateway.” If this destination overlaps with what should be protected by the VPN, trouble starts.
> Official DHCP Option 121 Reference:
> RFC 3442: The Classless Static Route Option for DHCP
Real-World Example
Let’s say your VPN is supposed to force everything to go through 10.8..1 (the VPN gateway).
But a rogue DHCP server hands you a routing option
Option 121: 192.168.1./24 via 192.168.1.1 (the attacker)
Now, all your traffic to 192.168.1.x will avoid the VPN altogether — even though you thought it was secure.
/etc/dhcp/dhcpd.conf snippet
subnet 192.168.1. netmask 255.255.255. {
range 192.168.1.10 192.168.1.100;
option routers 192.168.1.1;
# The magic: Option 121 (classless static routes)
option classless-static-routes , 192, 168, 50, 1, 192, 168, 50, 1;
}
This injects a route that says:
"To 192.168.50.1, use 192.168.50.1 as the gateway" (which the attacker controls).
You could make this more targeted, e.g. for any sensitive subnet.
2. Victim Connects to the Wi-Fi
Their device blindly installs the new route, because most OSes trust DHCP.
3. Attacker Captures Traffic
Now, things like curl https://bank.com can go directly out via the local interface, not tun, and can be sniffed or modified.
If you’re testing, you can even do TCPDump to see which routes are being installed
sudo tcpdump -npi eth port 67 or port 68
And on a Linux client
ip route show | grep 192.168.50
You’ll spot the injected route right away.
Why Does This Matter?
Many VPN users think their traffic is safe just because they see the VPN icon. But if their routing table is poisoned, the network can easily leak or hijack what they do, even with secure websites and apps.
ip route
- Disable accepting classless static routes if you don’t need them.
- On Linux:
bash
References and Further Reading
- CVE-2024-3661 at NIST NVD
- DHCP Option 121 (RFC 3442)
- OpenVPN Route Leaks Discussion
- Mitigation Guide: VPN Route Injection
Final Word
CVE-2024-3661 shows how a single overlooked DHCP option can punch a hole in VPN privacy. If you use a VPN on public Wi-Fi — or manage one for your company — check your client settings. Don’t trust just the VPN logo; trust your routing table.
Have you tested your VPN for route injection? Let us know your findings in the comments.
*Want more posts like this? Bookmark this page and stay safe out there!*
Timeline
Published on: 05/06/2024 19:15:11 UTC
Last modified on: 05/08/2024 22:15:49 UTC