Palo Alto Networks Security Advisories / CVE-2024-0009

CVE-2024-0009 PAN-OS: Improper IP Address Verification in GlobalProtect Gateway

Urgency REDUCED

047910
Severity 5.3 · MEDIUM
Response Effort LOW
Recovery AUTOMATIC
Value Density DIFFUSE
Attack Vector NETWORK
Attack Complexity LOW
Attack Requirements NONE
Automatable NO
User Interaction NONE
Product Confidentiality NONE
Product Integrity LOW
Product Availability NONE
Privileges Required LOW
Subsequent Confidentiality LOW
Subsequent Integrity LOW
Subsequent Availability LOW

Description

An improper verification vulnerability in the GlobalProtect gateway feature of Palo Alto Networks PAN-OS software enables a malicious user with stolen credentials to establish a VPN connection from an unauthorized IP address.

Product Status

VersionsAffectedUnaffected
Cloud NGFW NoneAll
PAN-OS 11.1NoneAll
PAN-OS 11.0< 11.0.1>= 11.0.1
PAN-OS 10.2< 10.2.4>= 10.2.4
PAN-OS 10.1NoneAll
PAN-OS 9.1NoneAll
PAN-OS 9.0NoneAll
Prisma Access NoneAll

Required Configuration for Exposure

This issue is applicable only to PAN-OS firewall configurations with a GlobalProtect gateway enabled. You can verify whether you have a GlobalProtect gateway configured by checking for entries in your firewall web interface (Network > GlobalProtect > Gateways).

Severity: MEDIUM, Suggested Urgency: REDUCED

CVSS-B: 5.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/AU:N/R:A/V:D/RE:L/U:Green)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-940 Improper Verification of Source of a Communication Channel

Solution

This issue is fixed in PAN-OS 10.2.4, PAN-OS 11.0.1, and all later PAN-OS versions.

Acknowledgments

Palo Alto Networks thanks Matthew Fong for discovering and reporting this issue.

Timeline

Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.