Palo Alto Networks closes door on TunnelCrack

Palo Alto Networks has published its response to the TunnelCrack VPN eavesdropping technique that academics demonstrated earlier this month.

The researchers announced that most VPNs could be tricked into leaking traffic.

They detailed two vulnerabilities, one that allowed traffic to leak on the VPN client side (LocalNet), the other on the server side (ServerIP).

Palo Alto Networks has now published an advisory in response, saying the vulnerability is specific to product and configuration.

Its GlobalProtect agent deployments on iOS, Android, and ChromeOS are not vulnerable to LocalNet attacks; and all platforms running GlobalProtect are safe if they’re configured with no direct access to the local network.

“Additionally, Prisma Access customers are not impacted by ServerIP attacks. PAN-OS with GlobalProtect Gateways configured with the address set as an IP are not impacted by ServerIP attacks”, the advisory stated.

However, the GlobalProtect application on PAN-OS gateways are vulnerable to ServerIP if their address is set as a fully-qualified domain name (FQDN); and to LocalNet if they have local network access.

Similarly, Prisma Access with the GlobalProtect application is vulnerable to LocalNet if local network access is enabled.

“No software updates are required at this time,” Palo Alto said, referring customers to this knowledge base article for specific configuration instructions.

“Note that enabling ‘No direct access to local network’ prevents end users from connecting to local LAN devices such as home printers, network storage, or streaming devices,” the advisory noted, adding that admins can configure exceptions for “specific users, operating systems, source addresses, destination domains, and applications”.