Possible vulnerability: TunnelVision (CVE-2024-3661)

Hi!

Found following article:

And this video:

Can anyone official from OpenWRT check this an patch if it is present?

Already discussed here:

1 Like

No patch, probably worth flipping the default to help unaware masses.

1 Like

Can you clarify?

@psherman in this case can external DHCP requests be BLOCKED?

It is not about external DHCP requests. In fact, the DHCP server in OpenWrt is usually (i.e. by default) only active on downstream networks (i.e. lan). It does not listen on the wan interface and the firewall blocks input on the wan anyway, so the issue is not about requests.

The problem is related to DHCP client mode operation. If the upstream DHCP server's configuration has maliciously crafted routes, the DHCP client will implement those routes based on the DHCP option.

I like the way that this video explains the issue:

1 Like

That what I meant. Is there any way to protect from it? Oven if this will cause connection loss if attack occurs it is better than be under attack

Read other thread, it has documentation and copypasta to disable option 121.

1 Like

In other thread this link posted:
https://openwrt.org/docs/guide-user/network/ipv4/configuration#protocol_dhcp

And this code:
uci set network.wan.classlessroute=0
uci commit
service network reload

But in link there is no such code.

So what should I enter? I am confused…

The link doesn't have the code, but it shows the option. Setting classless route to 0 will prevent this problem.

The same code you referenced.

2 Likes

go to the menu through luci in Interfaces » wwan and check the DHCP server - Ignore interface - need to check the box

The DHCP server will be completely disabled on the wan interface and there will be no need to configure anything there :slight_smile:
and of course, if you turn it on, it will be a vulnerability, so you can turn on a lot of things so that there is a vulnerability, you just raised a fuss out of nothing

I second @brada4's advice, but I know this can be used for a.o. IPTV, so the users relying on these routes will have to change settings after an upgrade.
This should be well documented :wink:

Can you please provide me screenshot? I can’t find this menu. Probably I do something wrong

there you need to click create or add and this item will appear

Wrong thread?

JFTR: "WWAN" is not a default interface, it sounds like you take your upstream via wifi.

I'm connected via Wi-Fi

here is a screenshot from the second router

just a wan interface, I don’t know which one you have :slight_smile:

https://openwrt.org/docs/guide-user/network/ipv4/configuration#protocol_dhcp

if you believe what is written on this link, then it matters and the classlessroute vulnerability will not have any meaning if you check the box.
maybe it somehow affects the lan interface, I don’t know, then you probably need to disable it on the lan interface

1 Like

Please stop posting when you have no idea what you're talking about (which unfortunately appears to be most of the time).

Disabling the DHCP server on an interface (WAN or otherwise) has nothing to do with whether it will request an address through DHCP. It's the latter (i.e. acting as a DHCP client) that has the potential to have a rogue route installed.

4 Likes

by default there is no DHCP item on the wan interface, at least in luci, it must be created