PAN-SA-2023-0004 Informational Bulletin: Impact of TunnelCrack Vulnerabilities (CVE-2023-36671, CVE-2023-36672, CVE-2023-35838, and CVE-2023-36673)
Informational
Description
The Palo Alto Networks Product Security Assurance team is aware of the research publication that details a combination of attacks named "TunnelCrack". These are also referred to as LocalNet and ServerIP attacks as detailed below.
These attacks leak VPN client traffic outside of the protected VPN tunnel when clients connect to untrusted networks, such as rogue Wi-Fi access points.
A LocalNet attack allows an attacker to take advantage of local network access features in multiple vendor VPN clients to access unencrypted traffic.
A ServerIP attack allows an attacker to intercept traffic sent to a spoofed VPN gateway via DNS spoofing attacks.
However, these attacks do not enable the attacker to decrypt HTTPS or other encrypted traffic.
GlobalProtect agent deployments on Android and ChromeOS are not vulnerable to LocalNet attacks. On iOS, third-party apps with the "Local Network" permission disabled are not vulnerable to LocalNet attacks.
GlobalProtect agent deployments on all platforms configured with "No direct access to local network" are not vulnerable to LocalNet attacks.
Additionally, Prisma Access customers are not impacted by ServerIP attacks. PAN-OS with GlobalProtect Gateways configured with the address set as an IP are not impacted by ServerIP attacks.
Please refer to the Required Configuration for Exposure section for the exact configurations that make the deployments susceptible to these attacks.
| CVE | Summary |
|---|---|
| CVE-2023-36672 | LocalNet attack resulting in leakage of traffic in plaintext. |
| CVE-2023-35838 | LocalNet attack resulting in the blocking of traffic. |
| CVE-2023-36673 | ServerIP attack, combined with DNS spoofing, that can leak traffic to arbitrary IP address. |
| CVE-2023-36671 | ServerIP attack where only traffic to the real IP address of the VPN server can be leaked. |
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| PAN-OS with GlobalProtect app on Android and ChromeOS | LocalNet: None, ServerIP: Gateways with address set as an FQDN | LocalNet: All, ServerIP: Gateways with address set as an IP |
| PAN-OS with GlobalProtect app on iOS | LocalNet: Third-party apps with the "Local Network" permission enabled and Apple apps, ServerIP: Gateways with address set as an FQDN | LocalNet: Third-party apps with the "Local Network" permission disabled, ServerIP: Gateways with address set as an IP |
| PAN-OS with GlobalProtect app on Windows, macOS, and Linux | LocalNet: Configurations allowing local network access, ServerIP: Gateways with address set as an FQDN | LocalNet: "No direct access to local network" enabled, ServerIP: Gateways with address set as an IP |
| Prisma Access with GlobalProtect app on Android and ChromeOS | None | All |
| Prisma Access with GlobalProtect app on iOS | LocalNet: Third-party apps with the "Local Network" permission enabled and Apple apps, ServerIP: None | LocalNet: Third-party apps with the "Local Network" permission disabled, ServerIP: All |
| Prisma Access with GlobalProtect app on Windows, macOS, and Linux | LocalNet: Configurations allowing local network access, ServerIP: None | LocalNet: "No direct access to local network" enabled, ServerIP: All |
Required Configuration for Exposure
LocalNet attacks on Windows, macOS, and Linux only impact a GlobalProtect agent configuration that allows direct access to the local network setting in the Split Tunnel tab in the firewall configuration.
LocalNet attacks on iOS only impacts third-party apps that enable access to the Local Network as well as any Apple apps, such as Safari, that are enabled on the device.
ServerIP attacks are relevant only to PAN-OS firewall configurations with a GlobalProtect gateway enabled and an FQDN used for Gateway address.
You can verify whether you have a GlobalProtect portal or gateway configured by checking for entries in your web interface (select Network > GlobalProtect > Gateways).
You can verify if an FQDN is used for the Gateway address by navigating to Network > GlobalProtect > Portal > Agent > External Gateway.
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue on any of our products. Proof of concept exploits for these issues are publicly available.
Weakness Type
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
Solution
No software updates are required at this time.
Please see the following KB article, which describes how to mitigate both LocalNet and ServerIP attacks: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000XgAlCAK
LocalNet attacks on Windows, macOS, and Linux are completely mitigated by enabling the "No direct access to local network" feature in the Split Tunnel tab on the firewall. Detailed information can be found at:
Note that enabling "No direct access to local network" prevents end users from connecting to local LAN devices such as home printers, network storage, or streaming devices. You can configure exceptions for specific users, operating systems, source addresses, destination domains, and applications by following the instructions at:
LocalNet attacks against third party apps on iOS are completely mitigated by disabling access to the local Local Network on a per-app basis. LocalNet attacks against Apple apps, such as Safari, can be mitigated by disabling the apps. Detailed information can be found at:
* https://support.apple.com/en-us/HT211870
* https://support.apple.com/en-us/HT201304
ServerIP attacks are completely mitigated by navigating to Network > GlobalProtect > Portal > Agent > External Gateway and setting an IP address instead of an FQDN for the gateway configuration. Gateway certificates will need to be updated to include the IP address as a SAN or as a common name. Detailed information can be found at: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/globalprotect/network-globalprotect-portals/globalprotect-portals-agent-configuration-tab/globalprotect-portals-agent-external-tab
Workarounds and Mitigations
Please refer to the recommended configurations in the Solution section that completely mitigate these attacks.
Endpoints configured to use only an authenticated DNS mechanism such as DNS over TLS, DNS over HTTPS, or DNSSEC are also protected from the ServerIP attacks.
Acknowledgments
Frequently Asked Questions
Q.Why is Prisma Access not impacted?
When GlobalProtect is used with Prisma Access, the IP address of Prisma Access is verified by the GlobalProtect app. A connection is not established if this verification fails. Hence, attacks that rely on DNS spoofing do not work.