Palo Alto's stance on CVE-2024-3661

JamesH1318 · ‎05-08-2024

Does PA have a response to CVE-2024-3661 for it's GlobalProtect users?

Brandon_Wertz · ‎05-08-2024

@JamesH1318 wrote:

Does PA have a response to CVE-2024-3661 for it's GlobalProtect users?

This post is lacking context. This CVE isn't specific to Palo Alto, and according to NIST is a relatively low risk.

JamesH1318 · ‎05-08-2024

I'm not sure how 7.6 High equates to "relatively low." It's true that it's not Palo Alto specific but it does affect GlobalProtect. I would expect Palo Alto to do some research and determine the best mitigation steps, if any, for GP users.

KirkHartstrom · ‎05-09-2024

I'd be interested in mitigation options as well. One idea I had would be push multiple /2 routes instead of the 0.0.0.0/0 route to my GP clients, obviously that isn't full proof. I could also add /32 routes to my high value hosts so I know that traffic will route via the VPN.

TomYoung · ‎05-09-2024

Hi @JamesH1318 ,

Thank you for your timely post! I do not work for PANW, but I imagine they are working on a response.

CVE-2024-3661, a.k.a TunnelVision, is very similar to TunnelCrack, https://security.paloaltonetworks.com/PAN-SA-2023-0004. If you scroll down to the Solution section of the URL, you will see a PANW article detailing the mitigation. In this case, I think checking the box "No direct access to local network" should mitigate this CVE, much like it did the LocalNet attack portion of Tunnel Crack.

Hopefully, we will hear an official word soon.

Thanks,

Tom

Help the community: Like helpful comments and mark solutions.

googol · ‎05-09-2024

I contacted support and them/PSIRT says they are not affected by this CVE. we'll see if they post something.

JamesH1318 · ‎05-13-2024

Thanks. I think it's more than that. I think the only real mitigation is to disable local LAN access AND disable split tunneling. Only then do I believe GP ignores the routing table and sends everything down the tunnel. But, as you said, hopefully, PAN will respond.