Palo Alto's stance on CVE-2024-3661

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Palo Alto's stance on CVE-2024-3661

L1 Bithead

Does PA have a response to CVE-2024-3661 for it's GlobalProtect users?

9 REPLIES 9

L6 Presenter

@JamesH1318 wrote:

Does PA have a response to CVE-2024-3661 for it's GlobalProtect users?


This post is lacking context.  This CVE isn't specific to Palo Alto, and according to NIST is a relatively low risk.

 

 

Brandon_Wertz_0-1715181733402.png

 

L1 Bithead

I'm not sure how 7.6 High equates to "relatively low."  It's true that it's not Palo Alto specific but it does affect GlobalProtect. I would expect Palo Alto to do some research and determine the best mitigation steps, if any, for GP users. 

L0 Member

I'd be interested in mitigation options as well. One idea I had would be push multiple /2 routes instead of the 0.0.0.0/0 route to my GP clients, obviously that isn't full proof. I could also add /32 routes to my high value hosts so I know that traffic will route via the VPN.

Cyber Elite
Cyber Elite

Hi @JamesH1318 ,

 

Thank you for your timely post!  I do not work for PANW, but I imagine they are working on a response.

 

CVE-2024-3661, a.k.a TunnelVision, is very similar to TunnelCrack, https://security.paloaltonetworks.com/PAN-SA-2023-0004.  If you scroll down to the Solution section of the URL, you will see a PANW article detailing the mitigation.  In this case, I think checking the box "No direct access to local network" should mitigate this CVE, much like it did the LocalNet attack portion of Tunnel Crack.

 

Hopefully, we will hear an official word soon.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L3 Networker

I contacted support and them/PSIRT says they are not affected by this CVE. we'll see if they post something.

Thanks. I think it's more than that. I think the only real mitigation is to disable local LAN access AND disable split tunneling. Only then do I believe GP ignores the routing table and sends everything down the tunnel. But, as you said, hopefully, PAN will respond.

Cyber Elite
Cyber Elite

Hello,

Since it requires a malicious DHCP server, etc. I would suggest using your phone as a hotspot when need WiFi away from a trusted source.

Regards,

Cyber Elite
Cyber Elite

Hi @JamesH1318 ,

 

The response was just released.  https://security.paloaltonetworks.com/CVE-2024-3661

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L1 Bithead

Here is the CVE advisory published today - https://security.paloaltonetworks.com/CVE-2024-3661

  • 5421 Views
  • 9 replies
  • 6 Likes
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!