topic Re: Palo Alto's stance on CVE-2024-3661 in General Topics

Palo Alto's stance on CVE-2024-3661

JamesH1318 — Wed, 08 May 2024 12:57:52 GMT

Does PA have a response to CVE-2024-3661 for it's GlobalProtect users?

Re: Palo Alto's stance on CVE-2024-3661

Brandon_Wertz — Wed, 08 May 2024 15:22:46 GMT

@JamesH1318 wrote:

Does PA have a response to CVE-2024-3661 for it's GlobalProtect users?

This post is lacking context. This CVE isn't specific to Palo Alto, and according to NIST is a relatively low risk.

Re: Palo Alto's stance on CVE-2024-3661

JamesH1318 — Thu, 09 May 2024 02:26:29 GMT

I'm not sure how 7.6 High equates to "relatively low." It's true that it's not Palo Alto specific but it does affect GlobalProtect. I would expect Palo Alto to do some research and determine the best mitigation steps, if any, for GP users.

Re: Palo Alto's stance on CVE-2024-3661

KirkHartstrom — Thu, 09 May 2024 19:29:07 GMT

I'd be interested in mitigation options as well. One idea I had would be push multiple /2 routes instead of the 0.0.0.0/0 route to my GP clients, obviously that isn't full proof. I could also add /32 routes to my high value hosts so I know that traffic will route via the VPN.

Re: Palo Alto's stance on CVE-2024-3661

TomYoung — Thu, 09 May 2024 20:51:35 GMT

Hi @JamesH1318 ,

Thank you for your timely post! I do not work for PANW, but I imagine they are working on a response.

CVE-2024-3661, a.k.a TunnelVision, is very similar to TunnelCrack, https://security.paloaltonetworks.com/PAN-SA-2023-0004. If you scroll down to the Solution section of the URL, you will see a PANW article detailing the mitigation. In this case, I think checking the box "No direct access to local network" should mitigate this CVE, much like it did the LocalNet attack portion of Tunnel Crack.

Hopefully, we will hear an official word soon.

Thanks,

Tom

Re: Palo Alto's stance on CVE-2024-3661

googol — Thu, 09 May 2024 20:54:24 GMT

I contacted support and them/PSIRT says they are not affected by this CVE. we'll see if they post something.

Re: Palo Alto's stance on CVE-2024-3661

JamesH1318 — Mon, 13 May 2024 12:38:15 GMT

Thanks. I think it's more than that. I think the only real mitigation is to disable local LAN access AND disable split tunneling. Only then do I believe GP ignores the routing table and sends everything down the tunnel. But, as you said, hopefully, PAN will respond.

Re: Palo Alto's stance on CVE-2024-3661

OtakarKlier — Mon, 13 May 2024 19:54:43 GMT

Hello,

Since it requires a malicious DHCP server, etc. I would suggest using your phone as a hotspot when need WiFi away from a trusted source.

Regards,

Re: Palo Alto's stance on CVE-2024-3661

TomYoung — Thu, 16 May 2024 16:28:30 GMT

Hi @JamesH1318 ,

The response was just released. https://security.paloaltonetworks.com/CVE-2024-3661

Thanks,

Tom

Re: Palo Alto's stance on CVE-2024-3661

trjohnson — Thu, 16 May 2024 17:43:52 GMT

Here is the CVE advisory published today - https://security.paloaltonetworks.com/CVE-2024-3661