Palo Alto Networks Security Advisories / PAN-SA-2023-0004

PAN-SA-2023-0004 Informational Bulletin: Impact of TunnelCrack Vulnerabilities (CVE-2023-36671, CVE-2023-36672, CVE-2023-35838, and CVE-2023-36673)


Informational

Description

The Palo Alto Networks Product Security Assurance team is aware of the research publication that details a combination of attacks named "TunnelCrack". These are also referred to as LocalNet and ServerIP attacks as detailed below.

These attacks leak VPN client traffic outside of the protected VPN tunnel when clients connect to untrusted networks, such as rogue Wi-Fi access points.

A LocalNet attack allows an attacker to take advantage of local network access features in multiple vendor VPN clients to access unencrypted traffic.

A ServerIP attack allows an attacker to intercept traffic sent to a spoofed VPN gateway via DNS spoofing attacks.

However, these attacks do not enable the attacker to decrypt HTTPS or other encrypted traffic.

GlobalProtect agent deployments on Android and ChromeOS are not vulnerable to LocalNet attacks. On iOS, third-party apps with the "Local Network" permission disabled are not vulnerable to LocalNet attacks.

GlobalProtect agent deployments on all platforms configured with "No direct access to local network" are not vulnerable to LocalNet attacks.

Additionally, Prisma Access customers are not impacted by ServerIP attacks. PAN-OS with GlobalProtect Gateways configured with the address set as an IP are not impacted by ServerIP attacks.

Please refer to the Required Configuration for Exposure section for the exact configurations that make the deployments susceptible to these attacks.

CVESummary
CVE-2023-36672LocalNet attack resulting in leakage of traffic in plaintext.
CVE-2023-35838LocalNet attack resulting in the blocking of traffic.
CVE-2023-36673ServerIP attack, combined with DNS spoofing, that can leak traffic to arbitrary IP address.
CVE-2023-36671ServerIP attack where only traffic to the real IP address of the VPN server can be leaked.

Product Status

VersionsAffectedUnaffected
PAN-OS with GlobalProtect app on Android and ChromeOSLocalNet: None, ServerIP: Gateways with address set as an FQDNLocalNet: All, ServerIP: Gateways with address set as an IP
PAN-OS with GlobalProtect app on iOSLocalNet: Third-party apps with the "Local Network" permission enabled and Apple apps, ServerIP: Gateways with address set as an FQDNLocalNet: Third-party apps with the "Local Network" permission disabled, ServerIP: Gateways with address set as an IP
PAN-OS with GlobalProtect app on Windows, macOS, and LinuxLocalNet: Configurations allowing local network access, ServerIP: Gateways with address set as an FQDNLocalNet: "No direct access to local network" enabled, ServerIP: Gateways with address set as an IP
Prisma Access with GlobalProtect app on Android and ChromeOSNoneAll
Prisma Access with GlobalProtect app on iOSLocalNet: Third-party apps with the "Local Network" permission enabled and Apple apps, ServerIP: NoneLocalNet: Third-party apps with the "Local Network" permission disabled, ServerIP: All
Prisma Access with GlobalProtect app on Windows, macOS, and LinuxLocalNet: Configurations allowing local network access, ServerIP: NoneLocalNet: "No direct access to local network" enabled, ServerIP: All

Required Configuration for Exposure

LocalNet attacks on Windows, macOS, and Linux only impact a GlobalProtect agent configuration that allows direct access to the local network setting in the Split Tunnel tab in the firewall configuration.

LocalNet attacks on iOS only impacts third-party apps that enable access to the Local Network as well as any Apple apps, such as Safari, that are enabled on the device.

ServerIP attacks are relevant only to PAN-OS firewall configurations with a GlobalProtect gateway enabled and an FQDN used for Gateway address.

You can verify whether you have a GlobalProtect portal or gateway configured by checking for entries in your web interface (select Network > GlobalProtect > Gateways).

You can verify if an FQDN is used for the Gateway address by navigating to Network > GlobalProtect > Portal > Agent > External Gateway.

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue on any of our products. Proof of concept exploits for these issues are publicly available.

Weakness Type

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

Solution

No software updates are required at this time.

Please see the following KB article, which describes how to mitigate both LocalNet and ServerIP attacks: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000XgAlCAK

LocalNet attacks on Windows, macOS, and Linux are completely mitigated by enabling the "No direct access to local network" feature in the Split Tunnel tab on the firewall. Detailed information can be found at:

* https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/globalprotect/network-globalprotect-gateways/globalprotect-gateways-agent-tab/client-settings-tab

* https://docs.paloaltonetworks.com/prisma/prisma-access/3-0/prisma-access-panorama-admin/prisma-access-advanced-deployments/mobile-user-globalprotect-advanced-deployments/sinkhole-ipv6-traffic-from-mobile-users/configure-globalprotect-to-disable-direct-access-to-the-local-network

Note that enabling "No direct access to local network" prevents end users from connecting to local LAN devices such as home printers, network storage, or streaming devices. You can configure exceptions for specific users, operating systems, source addresses, destination domains, and applications by following the instructions at:

* https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-access-route

* https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application

LocalNet attacks against third party apps on iOS are completely mitigated by disabling access to the local Local Network on a per-app basis. LocalNet attacks against Apple apps, such as Safari, can be mitigated by disabling the apps. Detailed information can be found at:

* https://support.apple.com/en-us/HT211870

* https://support.apple.com/en-us/HT201304

ServerIP attacks are completely mitigated by navigating to Network > GlobalProtect > Portal > Agent > External Gateway and setting an IP address instead of an FQDN for the gateway configuration. Gateway certificates will need to be updated to include the IP address as a SAN or as a common name. Detailed information can be found at: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/globalprotect/network-globalprotect-portals/globalprotect-portals-agent-configuration-tab/globalprotect-portals-agent-external-tab

Workarounds and Mitigations

Please refer to the recommended configurations in the Solution section that completely mitigate these attacks.

Endpoints configured to use only an authenticated DNS mechanism such as DNS over TLS, DNS over HTTPS, or DNSSEC are also protected from the ServerIP attacks.

Acknowledgments

Palo Alto Networks thanks Dr. Mathy Vanhoef and team for the research on these issues.

Frequently Asked Questions

Q. Why is Prisma Access not impacted?

When GlobalProtect is used with Prisma Access, the IP address of Prisma Access is verified by the GlobalProtect app. A connection is not established if this verification fails. Hence, attacks that rely on DNS spoofing do not work.

Timeline

Updated product guidance for GlobalProtect app on iOS
Updated Frequently Asked Questions section
Added KB article to Solution section
Updated impact details
Updated impact details
Updated impact details
Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.