Palo Alto Networks Security Advisories / CVE-2024-3661

CVE-2024-3661 Impact of TunnelVision Vulnerability

Urgency REDUCED

047910
Severity 2.1 · LOW
Response Effort MODERATE
Recovery AUTOMATIC
Value Density DIFFUSE
Attack Vector ADJACENT
Attack Complexity HIGH
Attack Requirements PRESENT
Automatable YES
User Interaction PASSIVE
Product Confidentiality LOW
Product Integrity LOW
Product Availability LOW
Privileges Required NONE
Subsequent Confidentiality NONE
Subsequent Integrity NONE
Subsequent Availability NONE

Description

The Palo Alto Networks Product Security Assurance team has evaluated the TunnelVision vulnerability as it relates to our products. This issue allows an attacker with the ability to send DHCP messages on the same local area network, such as a rogue Wi-Fi network, to leak traffic outside of the GlobalProtect tunnel, allowing the attacker to read, disrupt, or possibly modify network traffic that was expected to be protected by the GlobalProtect tunnel. However, this attack does not enable the attacker to decrypt HTTPS or other encrypted traffic.

Cloud NGFW, PAN-OS, and Prisma Access do not process DHCP option 121 and are therefore unaffected.

GlobalProtect app on Windows and macOS systems with Endpoint Traffic Policy Enforcement enabled are unaffected. Endpoint Traffic Policy Enforcement is disabled by default.

GlobalProtect app on Linux is affected. A fix will be released in an upcoming release.

GlobalProtect app on iOS with IncludeAllNetworks set to 1 is unaffected.

GlobalProtect app on Android is unaffected since the Android DHCP client does not process DHCP option 121.

Product Status

VersionsAffectedUnaffected
Cloud NGFW NoneAll
GlobalProtect app on Android NoneAll
GlobalProtect app on iOS All versions without IncludeAllNetworks set to 1All versions with IncludeAllNetworks set to 1
GlobalProtect app on Linux AllUpcoming major release
GlobalProtect app on Windows and macOS All versions without Endpoint Traffic Policy Enforcement set to All TrafficAll versions with Endpoint Traffic Policy Enforcement set to All Traffic
PAN-OS NoneAll
Prisma Access NoneAll

Severity: LOW, Suggested Urgency: REDUCED

CVSS-B: 2.1 (CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/AU:Y/R:A/V:D/RE:M/U:Green)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue in any of our products.

Weakness Type

CWE-501 Trust Boundary Violation

CWE-306 Missing Authentication for Critical Function

Solution

For Windows and macOS devices, ensure that Endpoint Traffic Policy Enforcement is set to All Traffic (Network → GlobalProtect Portals → <portal-config> → Agent → <agent-config> → App → Endpoint Traffic Policy Enforcement). Please see the following document for additional details: https://docs.paloaltonetworks.com/globalprotect/6-0/globalprotect-app-new-features/new-features-released-in-gp-app/endpoint-traffic-policy-enforcement.

For iOS devices, ensure that IncludeAllNetworks is set to 1 using mobile device management. For additional guidance, please see our mobile device management documentation at https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/mobile-endpoint-management and the Apple documentation at https://developer.apple.com/documentation/devicemanagement/vpn/vpn. To allow users to access their local network, ensure that ExcludeLocalNetwork is set to 1, so that the GlobalProtect app will route all local network traffic outside the tunnel.

Updates will be released for the GlobalProtect app on Linux in an upcoming major release.

Workarounds and Mitigations

For the GlobalProtect app on Windows, macOS, and Linux, this attack can be mitigated by enabling the "No direct access to local network" feature in the Split Tunnel tab on the firewall. Detailed information can be found at:

* https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/globalprotect/network-globalprotect-gateways/globalprotect-gateways-agent-tab/client-settings-tab

* https://docs.paloaltonetworks.com/prisma/prisma-access/3-0/prisma-access-panorama-admin/prisma-access-advanced-deployments/mobile-user-globalprotect-advanced-deployments/sinkhole-ipv6-traffic-from-mobile-users/configure-globalprotect-to-disable-direct-access-to-the-local-network

Note that enabling "No direct access to local network" prevents end users from connecting to local LAN devices such as home printers, network storage, or streaming devices. You can configure exceptions for specific users, operating systems, source addresses, destination domains, and applications by following the instructions at:

* https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-access-route

* https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application

You can mitigate this attack for the GlobalProtect app on iOS devices by disabling Wi-Fi.

Timeline

Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.