Are Glinet mobile router protected against CVE-2024-3661 (tunnelvision)?

Routers
122

I just tried your both solutions but none of them worked! You can test it by yourself. They would work however on a plain OpenWRT.

You can see the ps result, which shows that the -O 121 still being appended, after I applied both fixes you recommended:

10796 root 1232 S udhcpc -p /var/run/udhcpc-rmnet_mhi0.pid -s /lib/netifd/dhcp.script -f -t 0 -i rmnet_mhi0 -x hostname:GL-X3000 -C -R -O 121

The reason is that on GL devices there is a hard-coded value in the script I referred to earlier at line 63:
[ "$classlessroute" = "0" ] || append dhcpopts "-O 121"

This line needs to be commented out to ensure all interfaces are running without this option.

1 Like
123

I was assuming the native OpenWRT behavior would apply. Whats the reason Glinet hard corded 121 into the script? I dont see any plausible reason for it. Also on normal OpenWRT classlessroute 0 is the default behavior.

124

Because itā€™s a valid DHCP option and highly needed with strange hotspot configurations.

I donā€™t get why you are still shouting ā€˜maliciousā€™ if itā€™s not proven to be so.

You can always (!) manipulate traffic on WAN side. By just simply configure routes on the next hop for example.

As long as VPN isnā€™t affected all is fine.

125

Why is the option then ignored? I am a bit confused by what SpitzAX3000 said. If you look on here:

https://openwrt-devel.openwrt.narkive.com/HdeQA8Re/patch-netifd-request-dhcp-option-121-classless-route-by-default

It seems the change was made by OpenWRT 8 years ago, and the line is also the same on the Glinet device:

[ ā€œ$classlessrouteā€ = ā€œ0ā€ ] || append dhcpopts ā€œ-O 121ā€

As I understand append dhcpopts ā€œ-O 121ā€ is only executed if classlessroute is 1.

Shouldnt the line then be something like this?

[ ā€œ$classlessrouteā€ = ā€œ1ā€ ] && append dhcpopts ā€œ-O 121ā€

Though thats the same as = 0 || as I see it.

ā€œAs long as VPN isnā€™t affected all is fine.ā€ no? what about people not using VPN and then get manipulated routes this way? as I said, this is not only about VPN leaks. it can also be used to change specific routes when you dont use a VPN.

126

Because it does not matter.

As I wrote above you can manipulate WAN routes all the time. Just set another route on the router next to WAN - tadaaaa! - manipulated. Every router is independent.

The only dangerous thing would be if it would be possible to overwrite routes which are used on LAN side or default route or specific VPN route. But alzaho already confirmed this isnā€™t possible.

1 Like
127

You are wrong.

https://www.cve.org/CVERecord?id=CVE-2024-3661

128

Sharing the same CVE over and over again wonā€™t change anything.

All about this CVE is about client systems running client routing-based VPNs.

As long as the router decides based on firewall and interface config where to send traffic you can try to add as many routes on WAN side as you want, wonā€™t help exploiting.

1 Like
129

Can you clarify? Article says that it is not only client sideā€¦

130

In my opinion, this does not affect the routers, as the DHCP route does not decide which interface the traffic goes through.

This is usually different for client systems, which is why they are particularly affected.

However, as the routers function like a firewall as such and have both interfaces and rules, I donā€™t see the problem there.

I may be wrong, but only time will tell.

131

Which rules to add in this case?

132

Itā€™s not about a specific rule. Itā€™s about the work between interfaces and firewall rules.

Router says: Send all VPN over interface wg
Router sets the firewall rule to forward all traffic to interface wg

Itā€™s not IP-based routing, imho, speaking of routing based on subnets

133

So what bunch of settings I need if not only firewall?

134

Canā€™t tell, depends on your device. Mostly you canā€™t do anything about it, if itā€™s not implemented.

135

@Jeremy You might want to review the entirety of this thread before coming in and announcing folks are wrong.

136

I read about it in Reddit. And I came here to ask about something else. But found this thread. And posted my 5 cents

137

MT3000 and E750v2 - this ones

138

So what to add to firewall to protect against this (in dictatorship ISP)?

And protect from this too

Why do we need 121 at all? Many people on Reddit say that this is not useful at allā€¦

139

Can somebody please give me a tldnr recap of what is happening? Are we done for?

140

No, we are fine here.

1 Like
141

Oh, I guess that is a good enough reason not to read the rest of the posts you are replying to then. You can have your nickel back I guess. :wink: