CVE-2024-3661 Impact of TunnelVision Vulnerability
Description
The Palo Alto Networks Product Security Assurance team has evaluated the TunnelVision vulnerability as it relates to our products. This issue allows an attacker with the ability to send DHCP messages on the same local area network, such as a rogue Wi-Fi network, to leak traffic outside of the GlobalProtect tunnel, allowing the attacker to read, disrupt, or possibly modify network traffic that was expected to be protected by the GlobalProtect tunnel. However, this attack does not enable the attacker to decrypt HTTPS or other encrypted traffic.
Cloud NGFW, PAN-OS, and Prisma Access do not process DHCP option 121 and are therefore unaffected.
GlobalProtect app on Windows and macOS systems with Endpoint Traffic Policy Enforcement enabled are unaffected. Endpoint Traffic Policy Enforcement is disabled by default.
GlobalProtect app on Linux is affected. A fix will be released in an upcoming release.
GlobalProtect app on iOS with IncludeAllNetworks set to 1 is unaffected.
GlobalProtect app on Android is unaffected since the Android DHCP client does not process DHCP option 121.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| GlobalProtect App | All without Endpoint Traffic Policy Enforcement set to All Traffic on Windows All without Endpoint Traffic Policy Enforcement set to All Traffic on macOS All on Linux All without IncludeAllNetworks set to 1 on iOS None on Android | All with Endpoint Traffic Policy Enforcement set to All Traffic on Windows All with Endpoint Traffic Policy Enforcement set to All Traffic on macOS Upcoming major release on Linux All with IncludeAllNetworks set to 1 on iOS All on Android |
| PAN-OS | None | All |
| Prisma Access | None | All |
Required Configuration for Exposure
No special configuration is required to be affected by this issue.
Severity: LOW, Suggested Urgency: REDUCED
CVSS-BT: 2.1 / CVSS-B: 2.1 (CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/AU:Y/R:A/V:D/RE:M/U:Green)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue in any of our products.
Weakness Type
CWE-501 Trust Boundary Violation
CWE-306 Missing Authentication for Critical Function
Solution
For Windows and macOS devices, ensure that Endpoint Traffic Policy Enforcement is set to All Traffic (Network → GlobalProtect Portals → <portal-config> → Agent → <agent-config> → App → Endpoint Traffic Policy Enforcement). Please see the following document for additional details: https://docs.paloaltonetworks.com/globalprotect/6-0/globalprotect-app-new-features/new-features-released-in-gp-app/endpoint-traffic-policy-enforcement.
For iOS devices, ensure that IncludeAllNetworks is set to 1 using mobile device management. For additional guidance, please see our mobile device management documentation at https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/mobile-endpoint-management and the Apple documentation at https://developer.apple.com/documentation/devicemanagement/vpn/vpn. To allow users to access their local network, ensure that ExcludeLocalNetwork is set to 1, so that the GlobalProtect app will route all local network traffic outside the tunnel.
Updates will be released for the GlobalProtect app on Linux in an upcoming major release.
Workarounds and Mitigations
For the GlobalProtect app on Windows, macOS, and Linux, this attack can be mitigated by enabling the "No direct access to local network" feature in the Split Tunnel tab on the firewall. Detailed information can be found at:
- https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/globalprotect/network-globalprotect-gateways/globalprotect-gateways-agent-tab/client-settings-tab
- https://docs.paloaltonetworks.com/prisma/prisma-access/3-0/prisma-access-panorama-admin/prisma-access-advanced-deployments/mobile-user-globalprotect-advanced-deployments/sinkhole-ipv6-traffic-from-mobile-users/configure-globalprotect-to-disable-direct-access-to-the-local-network
Note that enabling "No direct access to local network" prevents end users from connecting to local LAN devices such as home printers, network storage, or streaming devices. You can configure exceptions for specific users, operating systems, source addresses, destination domains, and applications by following the instructions at:
- https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-access-route
- https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application
You can mitigate this attack for the GlobalProtect app on iOS devices by disabling Wi-Fi.