mirror of https://github.com/SagerNet/sing-box.git synced 2025-08-20 00:57:36 +08:00

documentation: Add manuel for mitigating tunnelvision attacks

2024-05-23 14:57:27 +08:00

947 B

Raw Blame History

icon

icon
material/book-lock-open

TunnelVision

TunnelVision is an attack that uses DHCP option 121 to set higher priority routes so that traffic does not go through the VPN.

Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3661

Status

Android

Android does not handle DHCP option 121 and is not affected.

Apple platforms

Update sing-box graphical client to 1.9.0-rc.16 or newer, then enable includeAllNetworks in Settings — Packet Tunnel and you will be unaffected.

Note: when includeAllNetworks is enabled, the default TUN stack is changed to gvisor, and the system and mixed stacks are not available.

Linux

Update sing-box to 1.9.0-rc.16 or newer, rules generated by auto-route are unaffected.

Windows

No solution yet.

Workarounds

Don't connect to untrusted networks
Relay untrusted network through another device
Just ignore it

947 B Raw Blame History