Palo Alto Globalprotect: Malicious code weakness via weak certificate validation

Palo Alto Networks Globalprotect app is used to establish VPN connections. A vulnerability allows attackers to inject malicious code and install it on vulnerable computers with elevated privileges.

The discoverers of the vulnerability from Amberwolf write in their detailed analysis that the Globalprotect VPN clients under both macOS and Windows are vulnerable to the execution of malicious code from the network and the elevation of privileges through the automatic update mechanism (CVE-2024-5921, CVSS-B 7.2, risk"high"). Although the update process requires MSI files to be signed, attackers can misuse the PanGPS service to install a malicious root certificate that is trusted as a result. The updates then run with the rights of the service component – root and macOS and SYSTEM under Windows.

Contacting malicious servers to smuggle code

By default, users can enter any endpoints in the user interface of the VPN clients. Attackers can exploit this with social engineering, for example, to trick victims into connecting to malicious VPN servers. These can steal access data and compromise systems with malicious client updates.

In the security announcement, Palo Alto explains that Globalprotect Apps 6.3 for all operating systems, 6.2 for Linux, macOS and Windows, 6.1 for all OS, the Globalprotect iOS app and the UWP app are affected by the vulnerability. Palo Alto is still analyzing the Android version. Globalprotect 5.1 and 6.0 in FIPS-CC mode are not affected, the activation of which the developers also mention as a possible workaround. In addition, the vulnerability is no longer present in Globalprotect 6.2.6 for Windows.

The timeline given by Palo Alto only begins with the publication of the security announcement on Tuesday. However, Amberwolf writes that Palo Alto was already informed about the vulnerability in April. In addition, Palo Alto plays down the danger of the vulnerability and refers in its own announcement to the Temporal Base Score according to CVSS – over time, vulnerabilities are actually always classified as a lower threat. However, the CVSS-BT value of 5.1 suggests a merely medium level of severity that does not require immediate action on the part of IT managers.

Several Palo Alto Networks products are currently being targeted by attackers. However, the renowned company is not exactly making a positive impression with its transparent handling of vulnerabilities. Dates in the advisories on PAN-OS vulnerabilities, some of which have already been abused in the wild, do not match those of the groups that have reported the vulnerabilities or attacks. Confirmations of attacks by the US IT security authority CISA in other cases do not ensure that Palo Alto is certain that a vulnerability has already been exploited. At the time of writing last Friday, IT security researchers had already counted more than 2000 Palo Alto devices that had been cracked. Palo Alto's IT security department Unit 42 spoke of medium to high accuracy with which it could attest to the existence of a functioning exploit.

(dmk)