mirror of
https://github.com/SagerNet/sing-box.git
synced 2024-11-30 04:21:29 +00:00
39 lines
947 B
Markdown
39 lines
947 B
Markdown
|
---
|
||
|
icon: material/book-lock-open
|
||
|
---
|
||
|
|
||
|
# TunnelVision
|
||
|
|
||
|
TunnelVision is an attack that uses DHCP option 121 to set higher priority routes
|
||
|
so that traffic does not go through the VPN.
|
||
|
|
||
|
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3661
|
||
|
|
||
|
## Status
|
||
|
|
||
|
### Android
|
||
|
|
||
|
Android does not handle DHCP option 121 and is not affected.
|
||
|
|
||
|
### Apple platforms
|
||
|
|
||
|
Update [sing-box graphical client](/clients/apple/#download) to `1.9.0-rc.16` or newer,
|
||
|
then enable `includeAllNetworks` in `Settings` — `Packet Tunnel` and you will be unaffected.
|
||
|
|
||
|
Note: when `includeAllNetworks` is enabled, the default TUN stack is changed to `gvisor`,
|
||
|
and the `system` and `mixed` stacks are not available.
|
||
|
|
||
|
### Linux
|
||
|
|
||
|
Update sing-box to `1.9.0-rc.16` or newer, rules generated by `auto-route` are unaffected.
|
||
|
|
||
|
### Windows
|
||
|
|
||
|
No solution yet.
|
||
|
|
||
|
## Workarounds
|
||
|
|
||
|
* Don't connect to untrusted networks
|
||
|
* Relay untrusted network through another device
|
||
|
* Just ignore it
|