Palo Alto Networks Warns of GlobalProtect App Flaw with Public Exploit Code (CVE-2024-5921)

CVE-2024-5921

Palo Alto Networks has issued a security advisory warning of a vulnerability in its GlobalProtect app that could allow attackers to install malicious software on endpoints.

The vulnerability, identified as CVE-2024-5921, is an insufficient certification validation issue that enables attackers to connect the GlobalProtect app to arbitrary servers. This allows them to install malicious root certificates on the endpoint, which can then be used to install malicious software signed by those certificates.

An insufficient certification validation issue in the Palo Alto Networks GlobalProtect app enables attackers to connect the GlobalProtect app to arbitrary servers,” the advisory states.

The vulnerability affects all versions of GlobalProtect app 6.3, 6.1, 6.0, 5.1, and GlobalProtect UWP App on Windows. It also affects all versions of GlobalProtect app 6.2 on macOS and Linux, as well as versions of GlobalProtect app 6.2 prior to 6.2.6 on Windows.

Palo Alto Networks says it is not aware of any malicious exploitation of this vulnerability. However, the company is aware of a publicly available conference talk discussing the issue.

The vulnerability is fixed in GlobalProtect app 6.2.6 and all later GlobalProtect app 6.2 versions on Windows. To mitigate the issue in other versions of the app, Palo Alto Networks recommends using the GlobalProtect app in FIPS-CC mode. Additionally, Palo Alto Networks provides specific installation parameters to enforce strict certificate validation:

Install GlobalProtect with the pre-deployment key FULLCHAINCERTVERIFY set to Yes:

msiexec.exe /i GlobalProtect64.msi FULLCHAINCERTVERIFY=”yes”

To specify the certificate store and the location within the certificate store that is used to load the certificates for certificate validation, install GlobalProtect using the following parameters:

msiexec.exe /i GlobalProtect64.msi FULLCHAINCERTVERIFY=”yes” CERTSTORE=”machine” CERTLOCATION=”ROOT”

Valid options for CERTSTORE are “machine” (recommended) and “user.”

Valid options for CERTLOCATION are “ROOT” (recommended), “MY,” “trusted publisher,” “ca,” “truest,” “authroot,” “smartcardroot,” and “userds.”

If either CERTSTORE or CERTLOCATION is unspecified, the GlobalProtect app will load the certificates from the root of the machine store by default.

This vulnerability is a serious security risk, as it could allow attackers to take complete control of endpoints. Organizations that use the GlobalProtect app should take immediate steps to mitigate the risk. This includes installing the latest version of the app or enabling FIPS-CC mode.

Related Posts: