security.paloaltonetworks.com
Open in
urlscan Pro
34.71.120.0
Public Scan
URL:
https://security.paloaltonetworks.com/CVE-2024-3661
Submission: On May 16 via api from DE — Scanned from DE
Submission: On May 16 via api from DE — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
* Get support * Security advisories * Report vulnerabilities * Subscribe * RSS feed Palo Alto Networks Security Advisories / CVE-2024-3661 CVE-2024-3661 IMPACT OF TUNNELVISION VULNERABILITY 047910 Severity 2.1 · LOW Urgency REDUCED Response Effort MODERATE Recovery AUTOMATIC Value Density DIFFUSE Attack Vector ADJACENT Attack Complexity HIGH Attack Requirements PRESENT Automatable YES User Interaction PASSIVE Product Confidentiality LOW Product Integrity LOW Product Availability LOW Privileges Required NONE Subsequent Confidentiality NONE Subsequent Integrity NONE Subsequent Availability NONE NVD JSON Published 2024-05-16 Updated 2024-05-16 Reference Discovered externally DESCRIPTION The Palo Alto Networks Product Security Assurance team has evaluated the TunnelVision vulnerability as it relates to our products. This issue allows an attacker with the ability to send DHCP messages on the same local area network, such as a rogue Wi-Fi network, to leak traffic outside of the GlobalProtect tunnel, allowing the attacker to read, disrupt, or possibly modify network traffic that was expected to be protected by the GlobalProtect tunnel. However, this attack does not enable the attacker to decrypt HTTPS or other encrypted traffic. Cloud NGFW, PAN-OS, and Prisma Access do not process DHCP option 121 and are therefore unaffected. GlobalProtect app on Windows and macOS systems with Endpoint Traffic Policy Enforcement enabled are unaffected. Endpoint Traffic Policy Enforcement is disabled by default. GlobalProtect app on Linux is affected. A fix will be released in an upcoming release. GlobalProtect app on iOS with IncludeAllNetworks set to 1 is unaffected. GlobalProtect app on Android is unaffected since the Android DHCP client does not process DHCP option 121. PRODUCT STATUS VersionsAffectedUnaffectedCloud NGFW NoneAllGlobalProtect app on Android NoneAllGlobalProtect app on iOS All versions without IncludeAllNetworks set to 1All versions with IncludeAllNetworks set to 1GlobalProtect app on Linux AllUpcoming major releaseGlobalProtect app on Windows and macOS All versions without Endpoint Traffic Policy Enforcement set to All TrafficAll versions with Endpoint Traffic Policy Enforcement set to All TrafficPAN-OS NoneAllPrisma Access NoneAll SEVERITY: LOW CVSSv4.0 Base Score: 2.1 (CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/AU:Y/R:A/V:D/RE:M/U:Green) EXPLOITATION STATUS Palo Alto Networks is not aware of any malicious exploitation of this issue in any of our products. WEAKNESS TYPE CWE-501 Trust Boundary Violation CWE-306 Missing Authentication for Critical Function SOLUTION For Windows and macOS devices, ensure that Endpoint Traffic Policy Enforcement is set to All Traffic (Network → GlobalProtect Portals → <portal-config> → Agent → <agent-config> → App → Endpoint Traffic Policy Enforcement). Please see the following document for additional details: https://docs.paloaltonetworks.com/globalprotect/6-0/globalprotect-app-new-features/new-features-released-in-gp-app/endpoint-traffic-policy-enforcement. For iOS devices, ensure that IncludeAllNetworks is set to 1 using mobile device management. For additional guidance, please see our mobile device management documentation at https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/mobile-endpoint-management and the Apple documentation at https://developer.apple.com/documentation/devicemanagement/vpn/vpn. To allow users to access their local network, ensure that ExcludeLocalNetwork is set to 1, so that the GlobalProtect app will route all local network traffic outside the tunnel. Updates will be released for the GlobalProtect app on Linux in an upcoming major release. WORKAROUNDS AND MITIGATIONS For the GlobalProtect app on Windows, macOS, and Linux, this attack can be mitigated by enabling the "No direct access to local network" feature in the Split Tunnel tab on the firewall. Detailed information can be found at: * https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/globalprotect/network-globalprotect-gateways/globalprotect-gateways-agent-tab/client-settings-tab * https://docs.paloaltonetworks.com/prisma/prisma-access/3-0/prisma-access-panorama-admin/prisma-access-advanced-deployments/mobile-user-globalprotect-advanced-deployments/sinkhole-ipv6-traffic-from-mobile-users/configure-globalprotect-to-disable-direct-access-to-the-local-network Note that enabling "No direct access to local network" prevents end users from connecting to local LAN devices such as home printers, network storage, or streaming devices. You can configure exceptions for specific users, operating systems, source addresses, destination domains, and applications by following the instructions at: * https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-access-route * https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application You can mitigate this attack for the GlobalProtect app on iOS devices by disabling Wi-Fi. TIMELINE 2024-05-16 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure PolicyReport vulnerabilitiesManage subscriptions © 2024 Palo Alto Networks, Inc. All rights reserved.