PAN-SA-2023-0004 Informational Bulletin: Impact of TunnelCrack Vulnerabilities (CVE-2023-36671 CVE-2023-36672 CVE-2023-35838 CVE-2023-36673)
Informational
The Palo Alto Networks Product Security Assurance team is aware of the research publication that details a combination of attacks named "TunnelCrack", referred to as LocalNet and ServerIP attacks below. These attacks leak VPN client traffic outside of the protected VPN tunnel when clients connect to untrusted networks such as rogue WiFi access points.
LocalNet attack allows an attacker to take advantage of local network access features in multiple vendor VPN clients to access unencrypted traffic.
ServerIP attack allows an attacker to intercept traffic to a spoofed VPN gateway via DNS spoofing attacks.
These attacks do not allow the attacker to decrypt HTTPS or other encrypted traffic.
By default GlobalProtect Agent deployments are not configured with local network access and hence not vulnerable to LocalNet attacks.
Prisma Access customers are not impacted by the ServerIP attacks.
Palo Alto Networks is investigating this report as it relates to the GlobalProtect Gateway feature in PAN-OS.
This page will be updated once more information is available to share.
Versions | Affected | Unaffected |
---|---|---|
GlobalProtect App | Specific local network access configurations | Default configurations |
PAN-OS | Under investigation | |
Prisma Access | None | all |
LocalNet attack is only applicable to GlobalProtect Agent configurations that allow direct access to the local network setting in the Split Tunnel tab on the firewall configuration.
ServerIP attack is relevant only to PAN-OS firewall configurations with a GlobalProtect gateway enabled. You can verify whether you have a GlobalProtect portal or gateway configured by checking for entries in 'Network > GlobalProtect > Gateways' from the web interface.
Palo Alto Networks is not aware of any malicious exploitation of this issue on any of our products.
No software updates are required at this time.
If direct access to the local network is enabled, the LocalNet attack can be mitigated by configuring the "No direct access to local network" setting in the Split Tunnel tab on the firewall. Detailed information can be found at: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/globalprotect/network-globalprotect-gateways/globalprotect-gateways-agent-tab/client-settings-tab