Article Summary: Secure your VPN from Tunnelvision attacks with NetworkManager
Article Description:
Some months ago a way to bypass the security of VPN clients was disclosed. It received the name of “Tunnelvision” and got the CVE ID CVE-2024-3661 assigned. For a malicious owner of a network that the victim connects to, it is trivial to exploit the vulnerability.
The article would present a way to protect against it using policy routing and would explain how to apply that configuration using NetworkManager. Tentative structure of the article:
https://discussion.fedoraproject.org/t/article-proposal-secure-your-vpn-from-tunnelvision-attacks-with-networkmanager/142943/1
Metadata Update from @rlengland: - Issue assigned to ihuguet
Hi. The preview of the article is ready for review: https://fedoramagazine.org/?p=41573&preview=true&preview_id=41573
Metadata Update from @rlengland: - Custom field preview-link adjusted to https://fedoramagazine.org/?p=41573&preview=true&preview_id=41573
Metadata Update from @rlengland: - Custom field image-editor adjusted to rlengland - Issue untagged with: needs-image
@ihuguet I've added a feature image to your article, reviewed, and edited. The edits are mostly minor things like reducing some sentence length and complexity. This would be a great time for you to read the article to make certain I haven't introduced any irregularities.
Thanks.
Metadata Update from @rlengland: - Custom field editor adjusted to rlengland
Hi! I have made a few minor edits (Tunnelvision -> TunnelVision, autoconf -> SLAAC). I have also edited a bit the second paragraph of the last section, as it was a bit confusing. I looks good to me now.
@ihuguet Thanks for your work on this article. It is scheduled for publication tomorrow, 29 January 0800UTC
@rlengland Amazing, thank you!
It seems that the scheduled pubishing has failed, though. Please take a look.
@ihuguet, not certain what happened but the article is available now.
@rlengland we have discovered that the mitigation doesn't protect against one unusual variant of one of the attacks that the article claims to protect from. Would it be possible to do a small edition of the text? If yes, how should I do it?
@ihuguet Simplest process for me is probably to have you provide the text you wish to insert. Provide the exact location at which you wish it to be inserted by quoting the text around with the new text or changes in place.
@glb may have another/better suggestion.
Ok, here it goes:
Where it says "and other similar attacks like TunnelCrack", strike out "TunnelCrack" and add this after it: "(EDIT: it does protect against TunnelCrack's LocalNet attack, but not against ServerIP attack, see details at the end)".
Then, the following explanation at the end of the article (or other suitable place that you think is better):
This mitigation doesn't protect against TunnelCrack's ServerIP attack. As this attack relies on spoofing the DNS reply when resolving the hostname of the VPN, we believe that it can be avoided by configuring the IP of the VPN server instead of its hostname (not confirmed).
This is a direct link to ServerIp attack, inside of the TunnelCrack website (to make it clear: ServerIP is a subtype of TunnelCrack): https://tunnelcrack.mathyvanhoef.com/#serveripdetails
I've made a correction to the article. Please take a look.
But I'm not certain about your last comment here. Do you wish the current "TunnelCrack" link to be modified?
I've made a correction to the article. Please take a look. But I'm not certain about your last comment here. Do you wish the current "TunnelCrack" link to be modified?
Or is the link to be applied to ServerIP here? "...doesn't protect against TunnelCrack's ServerIP attack..."
I've made a correction to the article. Please take a look. But I'm not certain about your last comment here. Do you wish the current "TunnelCrack" link to be modified? Or is the link to be applied to ServerIP here? "...doesn't protect against TunnelCrack's ServerIP attack..."
Command decision. I placed the link on "ServerIP" as I indicated above. Please review and let us know if my interpretation is correct or not. :confused:
Yes, that's exactly what I meant. Sorry for the lack of clarity. The edition is fine. Thanks!
Issue status updated to: Closed (was: Open) Issue close_status updated to: published
Log in to comment on this ticket.