Palo Alto Networks Product Security Incident Response TeamPA-CVE-2024-3661Impact of TunnelVision Vulnerability
7.6 High
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
6.3 Medium
AI Score
Confidence
Low
0.0005 Low
EPSS
Percentile
17.2%
The Palo Alto Networks Product Security Assurance team has evaluated the TunnelVision vulnerability as it relates to our products. This issue allows an attacker with the ability to send DHCP messages on the same local area network, such as a rogue Wi-Fi network, to leak traffic outside of the GlobalProtect tunnel, allowing the attacker to read, disrupt, or possibly modify network traffic that was expected to be protected by the GlobalProtect tunnel. However, this attack does not enable the attacker to decrypt HTTPS or other encrypted traffic.
Cloud NGFW, PAN-OS, and Prisma Access do not process DHCP option 121 and are therefore unaffected.
GlobalProtect app on Windows and macOS systems with Endpoint Traffic Policy Enforcement enabled are unaffected. Endpoint Traffic Policy Enforcement is disabled by default.
GlobalProtect app on Linux is affected. A fix will be released in an upcoming release.
GlobalProtect app on iOS with IncludeAllNetworks set to 1 is unaffected.
GlobalProtect app on Android is unaffected since the Android DHCP client does not process DHCP option 121.
Work around:
For the GlobalProtect app on Windows, macOS, and Linux, this attack can be mitigated by enabling the “No direct access to local network” feature in the Split Tunnel tab on the firewall. Detailed information can be found at:
- https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/globalprotect/network-globalprotect-gateways/globalprotect-gateways-agent-tab/client-settings-tab
- https://docs.paloaltonetworks.com/prisma/prisma-access/3-0/prisma-access-panorama-admin/prisma-access-advanced-deployments/mobile-user-globalprotect-advanced-deployments/sinkhole-ipv6-traffic-from-mobile-users/configure-globalprotect-to-disable-direct-access-to-the-local-network
Note that enabling “No direct access to local network” prevents end users from connecting to local LAN devices such as home printers, network storage, or streaming devices. You can configure exceptions for specific users, operating systems, source addresses, destination domains, and applications by following the instructions at: - https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-access-route
- https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application
You can mitigate this attack for the GlobalProtect app on iOS devices by disabling Wi-Fi.
Related
7.6 High
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
6.3 Medium
AI Score
Confidence
Low
0.0005 Low
EPSS
Percentile
17.2%