CVE-2024-0009 PAN-OS: Improper IP Address Verification in GlobalProtect Gateway
Description
An improper verification vulnerability in the GlobalProtect gateway feature of Palo Alto Networks PAN-OS software enables a malicious user with stolen credentials to establish a VPN connection from an unauthorized IP address.
Product Status
Versions | Affected | Unaffected |
---|---|---|
Cloud NGFW | None | All |
PAN-OS 11.1 | None | All |
PAN-OS 11.0 | < 11.0.1 | >= 11.0.1 |
PAN-OS 10.2 | < 10.2.4 | >= 10.2.4 |
PAN-OS 10.1 | None | All |
PAN-OS 9.1 | None | All |
PAN-OS 9.0 | None | All |
Prisma Access | None | All |
Required Configuration for Exposure
This issue is applicable only to PAN-OS firewall configurations with a GlobalProtect gateway enabled. You can verify whether you have a GlobalProtect gateway configured by checking for entries in your firewall web interface (Network > GlobalProtect > Gateways).
Severity: MEDIUM, Suggested Urgency: REDUCED
CVSS-B: 5.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/AU:N/R:A/V:D/RE:L/U:Green)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type
CWE-940 Improper Verification of Source of a Communication Channel
Solution
This issue is fixed in PAN-OS 10.2.4, PAN-OS 11.0.1, and all later PAN-OS versions.