TunnelVision

I was wondering what Norton's position on the recently revealed TunnelVision exploit is. Has Norton published any information regarding TunnelVision? 

 

I simulated a TunnelVision attack on Norton Secure VPN and the vpn-traffic is decloaked. I assume that the function 'access local devices with VPN' does not prevent communication with a local dhcp server. 

FWIW!! VPN leaks can happen when both IPv4 & IPv6 are enable together. Historically, Norton VPN leaks with IPv6 enabled. Improperly configured DNS can also make things worse.

SA

Hi,

Thank you for posting on the Norton Community. We are discussing about this. Once we have more information that we can share, I'll post to this forum thread. Thank you. 

A VPN-user can protect themselves from this attack by creating an isolated network environment prior to connecting to the vpn (like a VM with a NAT-adapter), among other things. I'm less sure about what VPN-providers can do to mitigate this but enforcing firewall rules to prevent leakage can result in a selective denial-of-service, which is preferable.

 

 

@Gayathri_R This is one for the Norton team to get on pronto!!

Conversely, there are suggestions from Microsoft: 

https://learn.microsoft.com/en-us/answers/questions/1683009/dhcp-option-121-on-windows

Copilot with GPT-4 (bing.com) * Windows 10/11 Pro users can enable RSAT ( if installed ) and disable the option 121 MIMIC there

SA

The research team that discovered this has a github page detailing how an attack can be performed: https://github.com/leviathansecurity/TunnelVision?tab=readme-ov-file#rogue-admin-lab 

I've tested this with the Mimic protocol as well, but get the same results. As far as I can tell, it is a protocol-independent exploit. 

 

Hello. How did you "simulate" Tunnelvision as an exploit against the Norton VPN?

Firstly, anyone presenting this attack MUST FIRST, have administration control of the network involved. AKA, a network they want you to connect to not the VPN server you are trying to connect to. That being said it isn't logical that anyone could have access to any of Norton's VPN server or their networks anywhere in the world without Norton knowing of it. Norton does use WireGuard although MIMIC is the preferred protocol having better security over all. That protocol is available in the Norton VPN settings per the below article under #7. 

https://us.norton.com/blog/privacy/vpn-protocols

SA