CVE-2024-3661 exposes a vulnerability in DHCP routing options, allowing attackers to manipulate interface-based VPN traffic, potentially leading to the interception, disruption, or modification of network traffic that should be protected by the VPN. This poses significant security risks to operational technology (OT) environments relying on VPNs for secure communication and data transmission, potentially compromising critical infrastructure and processes.
From the CVE database:
By design, the DHCP protocol does not authenticate messages, including for example the classless static route option (121). An attacker with the ability to send DHCP messages can manipulate routes to redirect VPN traffic, allowing the attacker to read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN. Many, if not most VPN systems based on IP routing are susceptible to such attacks.
https://www.cve.org/CVERecord?id=CVE-2024-3661