An attacker who controls the DHCP server can give your device more specific routes and this apparently can cause traffic to go over those routes instead of the VPN. So if your VPN says that it's taking traffic for 0.0.0.0/0, and the DHCP server says 0.0.0.0/1 and 1.0.0.0/1 route over 10.1.1.1, then all your traffic gets sent over 10.1.1.1 because those routes are more specific so they "win".
> can cause traffic to go over those routes instead of the VPN
AIUI the vulnerability is more about forcing traffic via a specific interface than it is about the setting the route. The host's routing table contains at least these fields:
A) destination (IP or subnet)
B) gateway (aka route, aka next hop)
C) interface
The article says that when the route is set using DHCP Option 21, the interface field is set to the interface on which the DHCP response was received. So, if I've understood the article correctly, even if the route/gateway address is correct and not malicious, the host will send out packets for that destination via the regular (wifi or ethernet) interface, instead of the VPN interface.
Imagine a coffee shop scenario: a malicious DHCP server responds to your DHCP request. It includes Option 121, making certain traffic go to the 10.0.0.1 (the coffee shop router address). Now, even though that gateway isn't malicious, the fact that the traffic is now going over the wifi interface instead of VPN, means someone can snoop on it.
I tend to think yes. If the initial attack as i understand it, is from a dhcp server handing out poisoned options, then if a client is set-up as static from the get-go it'll never request a lease to begin with and, well, there you have it.
You probably followed the advice to read from the 121 section already but if you’re sharing this others it might be helpful to link our website that serves as a TLDR + FAQ.
https://tunnelvisionbug.com/
There’s also a general public advisory there that’s supposed to be for anyone non-technical but who wants to understand the issue. All this content was also written by hand over 8ish months too, no AI was used
(Please feel free to correct if I've missed something; this was my interpretation of https://arstechnica.com/security/2024/05/novel-attack-agains... )