security.paloaltonetworks.com Open in urlscan Pro
34.49.135.97  Public Scan

Form analysis
0 forms found in the DOM

Text Content

 * Get support
 * Security advisories
 * Report vulnerabilities
 * Subscribe
 * RSS feed

Palo Alto Networks Security Advisories / CVE-2024-5921


CVE-2024-5921 GLOBALPROTECT APP: INSUFFICIENT CERTIFICATE VALIDATION LEADS TO
PRIVILEGE ESCALATION

Urgency MODERATE

047910
Severity 5.6 · MEDIUM
Exploit Maturity POC
Response Effort MODERATE
Recovery USER
Value Density DIFFUSE
Attack Vector LOCAL
Attack Complexity LOW
Attack Requirements PRESENT
Automatable NO
User Interaction NONE
Product Confidentiality NONE
Product Integrity HIGH
Product Availability NONE
Privileges Required LOW
Subsequent Confidentiality NONE
Subsequent Integrity HIGH
Subsequent Availability NONE
NVD JSON
Published 2024-11-25
Updated 2024-11-25
Reference GPC-19860, GPC-19861


DESCRIPTION

An insufficient certification validation issue in the Palo Alto Networks
GlobalProtect app enables attackers to connect the GlobalProtect app to
arbitrary servers. This can enable an attacker to install malicious root
certificates on the endpoint and subsequently install malicious software signed
by the malicious root certificates on that endpoint.



PRODUCT STATUS

VersionsAffectedUnaffectedGlobalProtect App 6.3AllNoneGlobalProtect App 6.2<
6.2.6 on Windows>= 6.2.6GlobalProtect App 6.2All on MacOS, LinuxNone on MacOS,
LinuxGlobalProtect App 6.1AllNoneGlobalProtect App 6.0AllNoneGlobalProtect App
5.1AllNoneGlobalProtect UWP AppAll on WindowsNone on Windows


SEVERITY: MEDIUM, SUGGESTED URGENCY: MODERATE

CVSS-BT: 5.6 / CVSS-B: 6.8
(CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:P/AU:N/R:U/V:D/RE:M/U:Amber)


EXPLOITATION STATUS

Palo Alto Networks is not aware of any malicious exploitation of this issue. We
are aware of a publicly available conference talk discussing this issue.



WEAKNESS TYPE AND IMPACT

CWE-295 Improper Certificate Validation

CAPEC-233 Privilege Escalation


SOLUTION

This issue is fixed in GlobalProtect app 6.2.6 and all later GlobalProtect app
6.2 versions on Windows.

Install GlobalProtect with the pre-deployment key FULLCHAINCERTVERIFY set to
Yes:

msiexec.exe /i GlobalProtect64.msi FULLCHAINCERTVERIFY="yes"

To specify the certificate store and the location within the certificate store
that is used to load the certificates for certificate validation, install
GlobalProtect using the following parameters:

msiexec.exe /i GlobalProtect64.msi FULLCHAINCERTVERIFY="yes" CERTSTORE="machine"
CERTLOCATION="ROOT"

Valid options for CERTSTORE are "machine" (recommended) and "user."

Valid options for CERTLOCATION are "ROOT" (recommended), "MY," "trusted
publisher," "ca," "truest," "authroot," "smartcardroot," and "userds."

If either CERTSTORE or CERTLOCATION is unspecified, the GlobalProtect app will
load the certificates from the root of the machine store by default.



WORKAROUNDS AND MITIGATIONS



You can mitigate this issue by using the GlobalProtect app in FIPS-CC mode. For
details, review the documentation on how to enable and verify FIPS-CC mode.




ACKNOWLEDGMENTS

Palo Alto Networks thanks Maxime ESCOURBIAC, Michelin CERT, Yassine BENGANA,
Abicom for Michelin CERT, and Richard Warren and David Cash of AmberWolf for
discovering and reporting the issue.


CPES

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.1:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.0:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.5:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.4:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.3:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.2:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.1:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.0:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.1.5:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.1.4:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.1.3:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.1.2:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.1.1:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.1.0:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.0.11:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.0.10:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.0.8:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.0.7:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.0.6:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.0.5:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.0.4:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.0.3:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.0.2:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.0.1:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.0.0:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:5.1.12:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:5.1.11:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:5.1.10:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:5.1.9:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:5.1.8:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:5.1.7:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:5.1.6:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:5.1.5:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:5.1.4:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:5.1.3:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:5.1.2:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:5.1.1:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:5.1.0:-:*:*:*:*:*:*

Show MoreShow Less


TIMELINE

2024-11-25 Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure
PolicyReport vulnerabilitiesManage subscriptions
© 2024 Palo Alto Networks, Inc. All rights reserved.