Tunnelvision VPN vulnerability

I.e. CVE-2024-3661 (NVD - CVE-2024-3661)

I read that android is immune to this vulnerability, since it does NOT support DHCP option 121; what’s the matter with SFOS?

The DHCP types that are handled are defined in gdhcp/common.h and the pre-defined values that can be set by the client are in gdhcp/gdhcp.h. Neither contains 121 (or 79 in hex).

However, the parsing of DHCP message can include plain number values, since dhcp_get_option() uses the value passed to it. And g_dhcp_client_set_request() is used to set the values parsed from the request sent to the registered dhcp client.

One can see by themselves by

mkdir sfos_git_repos && cd sfos_git_repos && \
git clone https://github.com/sailfishos/connman.git && cd connman/connman

Then look for the uses of the functions to use the options and to set the options:

find * -type f -name *.[ch] -exec grep -B 1 -A 1 -e "dhcp_get_option" -e "g_dhcp_client_set_request" {} +

So Sailfish OS is not affected as ConnMan handles all DHCP incoming from the network to the device. With a quick glance the upstream does not have it either.

5 Likes

Well, so good news for us, as I understand?

thank you
:relaxed:

Yes, this is good news. To sum up, Sailfish OS is not vulnerable, as the DHCP option 121 is not read from DHCP packets.

This can be verified by anyone willing to do so with the instructions setup by the organization who found and published the issue: GitHub - leviathansecurity/TunnelVision: A network technique that decloaks a VPN users traffic on a local network without disconnecting them from a VPN.

2 Likes