Palo Alto Networks Security Advisories / CVE-2020-1989

CVE-2020-1989 GlobalProtect App: Incorrect privilege assignment allows local privilege escalation

047910
Severity 7 · HIGH
Attack Vector LOCAL
Attack Complexity HIGH
Privileges Required LOW
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH
NVD JSON
Published 2020-04-08
Updated 2020-04-27
Reference GPC-9358
Discovered internally

Description

An incorrect privilege assignment vulnerability when writing application-specific files in the Palo Alto Networks GlobalProtect App for Linux on ARM platform allows a local authenticated user to gain root privileges on the system.

This issue affects Palo Alto Networks GlobalProtect App for Linux 5.0 versions before 5.0.8; 5.1 versions before 5.1.1.

Product Status

VersionsAffectedUnaffected
GlobalProtect App 5.1< 5.1.1 on Linux ARM>= 5.1.1 on Linux ARM
GlobalProtect App 5.0< 5.0.8 on Linux ARM>= 5.0.8 on Linux ARM

Severity: HIGH

CVSSv3.1 Base Score: 7 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Weakness Type

CWE-266 Incorrect Privilege Assignment

Solution

This issue is fixed in GlobalProtect App 5.0.8, GlobalProtect App 5.1.1 and all later versions.

Workarounds and Mitigations

There are no viable workarounds for this issue.

Timeline

Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions
© 2020 Palo Alto Networks, Inc. All rights reserved.