DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.

Exploitation of this vulnerability requires the machine to be in a network with an untrusted DHCP server and the VPN in the host to allow for the DHCP-provided routes to manipulate the behavior of the unencrypted VPN.

Users are advised to mitigate this issue by either trusting their DHCP server, choosing a VPN solution with encrypts traffic end-to-end, or a VPN solution which doesn’t let the DHCP-provided routes take precedence over the VPN routes.