Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

PAN-SA-2023-0004 Informational Bulletin: Impact of TunnelCrack Vulnerabilities (CVE-2023-36671 CVE-2023-36672 CVE-2023-35838 CVE-2023-36673)

Related Vulnerabilities: CVE-2023-36671   CVE-2023-36672   CVE-2023-35838   CVE-2023-36673  

PAN-SA-2023-0004 Informational Bulletin: Impact of TunnelCrack Vulnerabilities (CVE-2023-36671 CVE-2023-36672 CVE-2023-35838 CVE-2023-36673)

Source
Palo Alto Networks Security Advisories / PAN-SA-2023-0004

PAN-SA-2023-0004 Informational Bulletin: Impact of TunnelCrack Vulnerabilities (CVE-2023-36671 CVE-2023-36672 CVE-2023-35838 CVE-2023-36673)


Informational

JSON
Published 2023-08-17
Updated 2023-08-17
Reference
Discovered externally

Description

The Palo Alto Networks Product Security Assurance team is aware of the research publication that details a combination of attacks named "TunnelCrack", referred to as LocalNet and ServerIP attacks below. These attacks leak VPN client traffic outside of the protected VPN tunnel when clients connect to untrusted networks such as rogue WiFi access points.

LocalNet attack allows an attacker to take advantage of local network access features in multiple vendor VPN clients to access unencrypted traffic.

ServerIP attack allows an attacker to intercept traffic to a spoofed VPN gateway via DNS spoofing attacks.

These attacks do not allow the attacker to decrypt HTTPS or other encrypted traffic.

By default GlobalProtect Agent deployments are not configured with local network access and hence not vulnerable to LocalNet attacks.

Prisma Access customers are not impacted by the ServerIP attacks.

Palo Alto Networks is investigating this report as it relates to the GlobalProtect Gateway feature in PAN-OS.

This page will be updated once more information is available to share.

Product Status

VersionsAffectedUnaffected
GlobalProtect App Specific local network access configurations Default configurations
PAN-OS Under investigation
Prisma Access Noneall

Required Configuration for Exposure

LocalNet attack is only applicable to GlobalProtect Agent configurations that allow direct access to the local network setting in the Split Tunnel tab on the firewall configuration.

ServerIP attack is relevant only to PAN-OS firewall configurations with a GlobalProtect gateway enabled. You can verify whether you have a GlobalProtect portal or gateway configured by checking for entries in 'Network > GlobalProtect > Gateways' from the web interface.

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue on any of our products.

Solution

No software updates are required at this time.

Workarounds and Mitigations

If direct access to the local network is enabled, the LocalNet attack can be mitigated by configuring the "No direct access to local network" setting in the Split Tunnel tab on the firewall. Detailed information can be found at: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/globalprotect/network-globalprotect-gateways/globalprotect-gateways-agent-tab/client-settings-tab

Timeline

Initial publication

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started