#VU91755 Man-in-the-Middle (MitM) attack in Fortinet, Inc products - CVE-2024-3661


| Updated: 2025-04-02

Vulnerability identifier: #VU91755

Vulnerability risk: Medium

CVSSv4.0: 0.6 [CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-3661

CWE-ID: CWE-300

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
Fortinet FortiClient for Windows
Server applications / Other server solutions
FortiClient (Linux)
Client/Desktop applications / Software for system administration
FortiClient (macOS)
Client/Desktop applications / Software for system administration

Vendor: Fortinet, Inc

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to way the VPN client handles routes advertised by the DHCP server. A remote attacker with access to the local network can route the victim's traffic to a malicious server instead of sending it via a secured channel. 

This vulnerability was dubbed "TunnelVision".

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Fortinet FortiClient for Windows: 0, 1.0.0 - 1.0.5, 1.2.0 - 1.2.5, 4.0.0 - 4.0.2, 4.1.0, 4.2.0, 4.3.0 - 4.3.3.445, 5.0.1 - 5.0.11, 5.2.0 - 5.2.028, 5.4.0 - 5.4.5, 5.6.0 - 5.6.6, 6.0.0 - 6.0.10, 6.2.0 - 6.2.9, 6.4.0 - 6.4.10, 7.0.0 - 7.0.12, 7.2.0 - 7.2.4

FortiClient (Linux): 6.0.0 - 7.2.4

FortiClient (macOS): 5.6.6 - 7.2.4

External links
https://datatracker.ietf.org/doc/html/rfc2131#section-7
https://datatracker.ietf.org/doc/html/rfc3442#section-7
https://tunnelvisionbug.com/
https://www.leviathansecurity.com/research/tunnelvision
https://news.ycombinator.com/item?id=40279632
https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/
https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/
https://issuetracker.google.com/issues/263721377
https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision
https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability
https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic
https://news.ycombinator.com/item?id=40284111
https://www.agwa.name/blog/post/hardening_openvpn_for_def_con
https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/
https://www.fortiguard.com/psirt/FG-IR-24-170

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


TunnelVision vulnerability in HPE Aruba Networking Virtual Intranet Access clients
Anolis OS update for NetworkManager
Multiple vulnerabilities in IBM QRadar SIEM
Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.15
Multiple vulnerabilities in OpenShift API for Data Protection (OADP) 1.4
Red Hat Enterprise Linux update for NetworkManager
Red Hat Enterprise Linux 8 update for NetworkManager
MitM attack in Fortinet FortiClient