Palo Alto Networks Security Advisories / PAN-SA-2020-0009

PAN-SA-2020-0009 Informational: Mitigating threats for GlobalProtect clients connecting from untrusted networks

047910
Severity 0 · NONE
Attack Vector ADJACENT_NETWORK
Attack Complexity HIGH
Privileges Required HIGH
User Interaction REQUIRED
Scope UNCHANGED
Confidentiality Impact NONE
Integrity Impact NONE
Availability Impact NONE

Description

Orange Cyberdefense presented a study on the efficacy of modern commercial VPN solutions when providing security to clients on untrusted networks, such as internet hotspots. The study aims to make network administrators aware that they must carefully deploy their VPN solutions. This study highlights the fact that VPN-only solutions do not offer the level of security required for clients connecting from untrusted networks.

Researchers conducted this study to measure the efficacy of VPNs in a controlled lab environment where they disabled host firewalls and threat prevention features and conducted attacks that are considered known risks in an untrusted network. This research does not demonstrate a new vulnerability or a novel attack technique.

Palo Alto Networks products, such as GlobalProtect™, Cortex™ XDR, and threat prevention features and subscriptions on our next-generation firewalls, are ideally suited to address the risks considered in the study.

This study illustrated the importance of enabling GlobalProtect features related to captive portals and of enabling additional layers of security through endpoint protection and next-generation firewall features.

Product Status

VersionsAffectedUnaffected
GlobalProtect allnonenone

Required Configuration for Exposure

The following GlobalProtect portal configuration increases the risks associated with GlobalProtect clients in an untrusted network:

1. 'No direct access to local network’ is disabled under Split Tunnel configuration. See https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/globalprotect/network-globalprotect-gateways/globalprotect-gateways-agent-tab/client-settings-tab.html.

2. 'Allow User to Continue with Invalid Portal Server Certificate' is set to 'Yes' (Network > GlobalProtect > Portal > Agent > <agent-config> > App).

Severity: NONE

CVSSv3.1 Base Score: 0 (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N)

Weakness Type

Solution

The risks outlined in the study are mitigated by:

1. Ensuring that you have the following configuration for the GlobalProtect portal:

(a) 'Allow User to Continue with Invalid Portal Server Certificate' set to 'No' (Network > GlobalProtect > Portal > Agent > <agent-config> > App).

(b) 'No Direct access to local network' option is enabled (Split Tunnel configuration). See https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/globalprotect/network-globalprotect-gateways/globalprotect-gateways-agent-tab/client-settings-tab.html

2. Ensuring that all next-generation firewall threat prevention features and subscriptions are enabled.

3. Ensuring that you deployed the Cortex XDR agent on clients for endpoint protection. See https://www.paloaltonetworks.com/cortex/endpoint-protection.

4. Not accessing unsecured HTTP sites until GlobalProtect status displays as 'Connected'. Setting a low value for the 'Captive Portal Exception Timeout (seconds)' option reduces this window of time. See https://docs.paloaltonetworks.com/globalprotect/10-0/globalprotect-admin/globalprotect-quick-configs/captive-portal-and-enforce-globalprotect-for-network-access.html

5. 'Enforce GlobalProtect Connection for Network Access' option can be set to 'Yes' to prevent user internet access outside of the VPN tunnel. See https://docs.paloaltonetworks.com/globalprotect/10-0/globalprotect-admin/globalprotect-quick-configs/captive-portal-and-enforce-globalprotect-for-network-access.html

6. Ensure host-based firewalls on the endpoint clients are not disabled.

7. To reduce the attack surface for IPv6-based threats for GlobalProtect VPN tunnel to Prisma Access configure Prisma Access to sinkhole IPv6 traffic. See https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prisma-access-for-users/quick-configs-for-user-deployments/sinkhole-ipv6-traffic-from-mobile-users.html

Because our products are capable of addressing these risks with the appropriate use of existing features and options, no GlobalProtect updates are required.

Workarounds and Mitigations

See the solution section.

Acknowledgments

Palo Alto Networks thanks Charl van der Walt, Wicus Ross Orange Cyberdefense for working with us to test the efficacy of our GlobalProtect VPN solutions.

Timeline

Initial publication
© 2020 Palo Alto Networks, Inc. All rights reserved.