Unable to set specific DHCP4 option to false in order to ignore DHCP option 121 (CVE-2024-3661)
Summary
In order to mitigate the "TunnelVision" vulnerability (https://github.com/leviathansecurity/TunnelVision/) (CVE-2024-3661) by manually ignoring DHCP option 121 (https://datatracker.ietf.org/doc/html/rfc3442) for specific connections it is not feasible via the internal DHCP4 client in NetworkManager.
Version affected
Debian 12 Bookworm 1.46.0 (nmcli --version)
Steps to reproduce
Try to set "requested_rfc3442_classless_static_routes = 0" via "nmcli connection edit [con-name]"
Actual result
error message containing the following parameters "connection, 802-3-ethernet (ethernet), 802-1x, dcb, sriov, ethtool, match, ipv4, ipv6, hostname, link, tc, proxy"
&
DHCP4.OPTION[ID]: requested_rfc3442_classless_static_routes = 1
Expected result
DHCP4.OPTION[ID]: requested_rfc3442_classless_static_routes = 0
Relevant logs
Workaround
Setting dhcp=dhclient to use isc-dhcp-client and remove "rfc3442-classless-static-routes" option in the request parameters section in dhclient.conf