Impact of the TunnelVision vulnerability on F-Secure VPN products A recently detected vulnerability known as TunnelVision (CVE-2024-3661) exposes a weakness that allows attackers to bypass VPN encryption and gain access to users' network traffic. More information on the vulnerability is available in the following article: CVE-2024-3661: TunnelVision - How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak - Leviathan Security Group - Penetration Testing, Security Assessment, Risk Advisory.
F-Secure has checked the situation with our VPN products and how they behave in this attack, which utilizes the DHCP option 121, with the following findings:
Windows and Mac
Windows and Mac versions of our products use the operating system firewall to prevent traffic from leaking outside the VPN tunnel. This prevents network traffic from going to the routes set by the attacker.
Android
The Android operating system does not support DHCP option 121, so it is not vulnerable.
iOS
On Apple iPhones and iPads, our VPN uses the operating system's own VPN implementation and is vulnerable to this issue, as the operating system on those devices supports DHCP option 121. Because of this, an attacker could hijack part of the traffic even when our VPN is turned on.
It appears that Apple is the only party that can fix this issue. We have reported this vulnerability to them already and we are waiting for their response.
Until Apple provides a fix, we recommend that you do not use WiFi networks, but mobile data connections instead.
