Vulnerability-Lookup

alsa-2025:0288

Vulnerability from osv_almalinux

Published

2025-01-13 00:00

Modified

2025-01-13 21:27

Summary

Moderate: Bug fix of NetworkManager

Details

Security and Bug Fix(es):

NetworkManager: DHCP routing options can manipulate interface-based VPN traffic (CVE-2024-3661)
Route to VPN server not stored in routing table that is specified by ipv4.route-table (JIRA:AlmaLinux-73051)
VPN connections do not support ipv4.routing-rules settings (JIRA:AlmaLinux-73052)

References

URL

Type

	https://access.redhat.com/errata/RHSA-2025:0288	ADVISORY
	https://access.redhat.com/security/cve/CVE-2024-3661	REPORT
	https://errata.almalinux.org/8/ALSA-2025-0288.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "NetworkManager"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:1.40.16-18.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "NetworkManager-adsl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:1.40.16-18.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "NetworkManager-bluetooth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:1.40.16-18.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "NetworkManager-cloud-setup"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:1.40.16-18.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "NetworkManager-config-connectivity-redhat"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:1.40.16-18.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "NetworkManager-config-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:1.40.16-18.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "NetworkManager-dispatcher-routing-rules"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:1.40.16-18.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "NetworkManager-initscripts-updown"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:1.40.16-18.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "NetworkManager-libnm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:1.40.16-18.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "NetworkManager-libnm-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:1.40.16-18.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "NetworkManager-ovs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:1.40.16-18.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "NetworkManager-ppp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:1.40.16-18.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "NetworkManager-team"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:1.40.16-18.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "NetworkManager-tui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:1.40.16-18.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "NetworkManager-wifi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:1.40.16-18.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "NetworkManager-wwan"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:1.40.16-18.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Security and Bug Fix(es):  \n\n  * NetworkManager: DHCP routing options can manipulate interface-based VPN traffic (CVE-2024-3661)\n  * Route to VPN server not stored in routing table that is specified by ipv4.route-table (JIRA:AlmaLinux-73051)\n  * VPN connections do not support ipv4.routing-rules settings (JIRA:AlmaLinux-73052)\n\n\n",
  "id": "ALSA-2025:0288",
  "modified": "2025-01-13T21:27:29Z",
  "published": "2025-01-13T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2025:0288"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2024-3661"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2025-0288.html"
    }
  ],
  "related": [
    "CVE-2024-3661"
  ],
  "summary": "Moderate: Bug fix of NetworkManager"
}

CVE-2024-3661 (GCVE-0-2024-3661)

Vulnerability from cvelistv5 – Published: 2024-05-06 18:31 – Updated: 2024-08-28 19:09

Title

DHCP routing options can manipulate interface-based VPN traffic

Summary

DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.

Severity ?

7.6 (High)


                        
                          CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE

CWE-306 - Missing Authentication for Critical Function
CWE-501 - Trust Boundary Violation

Assigner

cisa-cg

References

URL

Tags

	https://datatracker.ietf.org/doc/html/rfc2131#section-7
	https://datatracker.ietf.org/doc/html/rfc3442#section-7
	https://tunnelvisionbug.com/
	https://www.leviathansecurity.com/research/tunnelvision
	https://news.ycombinator.com/item?id=40279632
	https://arstechnica.com/security/2024/05/novel-at…
	https://krebsonsecurity.com/2024/05/why-your-vpn-…
	https://issuetracker.google.com/issues/263721377
	https://mullvad.net/en/blog/evaluating-the-impact…
	https://www.zscaler.com/blogs/security-research/c…
	https://lowendtalk.com/discussion/188857/a-rogue-…
	https://news.ycombinator.com/item?id=40284111
	https://www.agwa.name/blog/post/hardening_openvpn…
	https://www.theregister.com/2024/05/07/vpn_tunnel…
	https://support.citrix.com/article/CTX677069/clou…
	https://www.watchguard.com/wgrd-psirt/advisory/wg…
	https://bst.cisco.com/quickview/bug/CSCwk05814
	https://security.paloaltonetworks.com/CVE-2024-3661
	https://fortiguard.fortinet.com/psirt/FG-IR-24-170
	https://my.f5.com/manage/s/article/K000139553

Impacted products

	Vendor	Product	Version
	IETF	DHCP	Affected: 0

Date Public ?

2002-12-31 01:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T20:20:00.420Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://datatracker.ietf.org/doc/html/rfc2131#section-7"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://datatracker.ietf.org/doc/html/rfc3442#section-7"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://tunnelvisionbug.com/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.leviathansecurity.com/research/tunnelvision"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://news.ycombinator.com/item?id=40279632"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://issuetracker.google.com/issues/263721377"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://news.ycombinator.com/item?id=40284111"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.agwa.name/blog/post/hardening_openvpn_for_def_con"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bst.cisco.com/quickview/bug/CSCwk05814"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.paloaltonetworks.com/CVE-2024-3661"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-170"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://my.f5.com/manage/s/article/K000139553"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-3661",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-08T04:00:07.962328Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-28T19:09:06.995Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "DHCP",
          "vendor": "IETF",
          "versions": [
            {
              "status": "affected",
              "version": "0"
            }
          ]
        }
      ],
      "datePublic": "2002-12-31T01:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "DHCP can add routes to a client\u2019s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN."
            }
          ],
          "value": "DHCP can add routes to a client\u2019s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306 Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-501",
              "description": "CWE-501 Trust Boundary Violation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-01T15:04:50.790Z",
        "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "shortName": "cisa-cg"
      },
      "references": [
        {
          "url": "https://datatracker.ietf.org/doc/html/rfc2131#section-7"
        },
        {
          "url": "https://datatracker.ietf.org/doc/html/rfc3442#section-7"
        },
        {
          "url": "https://tunnelvisionbug.com/"
        },
        {
          "url": "https://www.leviathansecurity.com/research/tunnelvision"
        },
        {
          "url": "https://news.ycombinator.com/item?id=40279632"
        },
        {
          "url": "https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/"
        },
        {
          "url": "https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/"
        },
        {
          "url": "https://issuetracker.google.com/issues/263721377"
        },
        {
          "url": "https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision"
        },
        {
          "url": "https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability"
        },
        {
          "url": "https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic"
        },
        {
          "url": "https://news.ycombinator.com/item?id=40284111"
        },
        {
          "url": "https://www.agwa.name/blog/post/hardening_openvpn_for_def_con"
        },
        {
          "url": "https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/"
        },
        {
          "url": "https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661"
        },
        {
          "url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009"
        },
        {
          "url": "https://bst.cisco.com/quickview/bug/CSCwk05814"
        },
        {
          "url": "https://security.paloaltonetworks.com/CVE-2024-3661"
        },
        {
          "url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-170"
        },
        {
          "url": "https://my.f5.com/manage/s/article/K000139553"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "DHCP routing options can manipulate interface-based VPN traffic",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
    "assignerShortName": "cisa-cg",
    "cveId": "CVE-2024-3661",
    "datePublished": "2024-05-06T18:31:21.217Z",
    "dateReserved": "2024-04-11T17:24:22.637Z",
    "dateUpdated": "2024-08-28T19:09:06.995Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted