Hello and welcome to the Tuesday, May 7, 2020,

4 edition of the Sands and its Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from San Francisco, California.

Today we got two different VPN-related vulnerabilities.

The first one affects multiple VPN implementations and relies on DHCP options to configure routing.

The vulnerability was documented by researchers from Leviton Security Group.

For example, as I record this podcast, I'm connected to a hotel wireless network. To

connect to the network, I need to accept a DHCP lease. This lease typically includes at least

a default gateway, an IP address, and possibly DNS servers. The VPN is only enabled after the laptop is connected to the local network.

After all, it has to reach the VPN server.

A decent VPN will usually override the DNS servers provided by the HCP,

so that's not the problem here.

And then add a new route that will send all traffic that's not local to the VPN interface.

However, DHCP has an option to configure specific routes.

This option, option number 121, is implemented on many current operating systems.

I believe Android was an exception and has been around for about 20 years.

Linux has a feature called Network Namespaces that can be used to overwrite these routing rules.

So Linux can be configured to actually prevent some of the issues.

But basically, what's happening is that the DHCP server will advertise a more specific route

using Option 121.

Typically, if they're conflicting routes to a particular destination, the more specific one is being used.

And that's how an attacker who has control over the local DHCP server could trick you to leak some traffic outside of the VPN.

...