CVE-2024-3661 Impact of TunnelVision Vulnerability
Description
The Palo Alto Networks Product Security Assurance team has evaluated the TunnelVision vulnerability as it relates to our products. This issue allows an attacker with the ability to send DHCP messages on the same local area network, such as a rogue Wi-Fi network, to leak traffic outside of the GlobalProtect tunnel, allowing the attacker to read, disrupt, or possibly modify network traffic that was expected to be protected by the GlobalProtect tunnel. However, this attack does not enable the attacker to decrypt HTTPS or other encrypted traffic.
Cloud NGFW, PAN-OS, and Prisma Access do not process DHCP option 121 and are therefore unaffected.
GlobalProtect app on Windows and macOS systems with Endpoint Traffic Policy Enforcement enabled are unaffected. Endpoint Traffic Policy Enforcement is disabled by default.
GlobalProtect app on Linux is affected. A fix will be released in an upcoming release.
GlobalProtect app on iOS with IncludeAllNetworks set to 1 is unaffected.
GlobalProtect app on Android is unaffected since the Android DHCP client does not process DHCP option 121.
Product Status
Versions | Affected | Unaffected |
---|---|---|
Cloud NGFW | None | All |
GlobalProtect app on Android | None | All |
GlobalProtect app on iOS | All versions without IncludeAllNetworks set to 1 | All versions with IncludeAllNetworks set to 1 |
GlobalProtect app on Linux | All | Upcoming major release |
GlobalProtect app on Windows and macOS | All versions without Endpoint Traffic Policy Enforcement set to All Traffic | All versions with Endpoint Traffic Policy Enforcement set to All Traffic |
PAN-OS | None | All |
Prisma Access | None | All |
Severity: LOW
CVSSv4.0 Base Score: 2.1 (CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/AU:Y/R:A/V:D/RE:M/U:Green)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue in any of our products.
Weakness Type
CWE-501 Trust Boundary Violation
CWE-306 Missing Authentication for Critical Function
Solution
For Windows and macOS devices, ensure that Endpoint Traffic Policy Enforcement is set to All Traffic (Network → GlobalProtect Portals → <portal-config> → Agent → <agent-config> → App → Endpoint Traffic Policy Enforcement). Please see the following document for additional details: https://docs.paloaltonetworks.com/globalprotect/6-0/globalprotect-app-new-features/new-features-released-in-gp-app/endpoint-traffic-policy-enforcement.
For iOS devices, ensure that IncludeAllNetworks is set to 1 using mobile device management. For additional guidance, please see our mobile device management documentation at https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/mobile-endpoint-management and the Apple documentation at https://developer.apple.com/documentation/devicemanagement/vpn/vpn. To allow users to access their local network, ensure that ExcludeLocalNetwork is set to 1, so that the GlobalProtect app will route all local network traffic outside the tunnel.
Updates will be released for the GlobalProtect app on Linux in an upcoming major release.
Workarounds and Mitigations
For the GlobalProtect app on Windows, macOS, and Linux, this attack can be mitigated by enabling the "No direct access to local network" feature in the Split Tunnel tab on the firewall. Detailed information can be found at:
Note that enabling "No direct access to local network" prevents end users from connecting to local LAN devices such as home printers, network storage, or streaming devices. You can configure exceptions for specific users, operating systems, source addresses, destination domains, and applications by following the instructions at:
You can mitigate this attack for the GlobalProtect app on iOS devices by disabling Wi-Fi.