Palo Alto Networks Security Advisories / CVE-2024-2431

CVE-2024-2431 GlobalProtect App: Local User Can Disable GlobalProtect

Urgency MODERATE

047910
Severity 5.7 · MEDIUM
Response Effort LOW
Recovery USER
Value Density DIFFUSE
Attack Vector LOCAL
Attack Complexity LOW
Attack Requirements PRESENT
Automatable YES
User Interaction NONE
Product Confidentiality NONE
Product Integrity NONE
Product Availability HIGH
Privileges Required LOW
Subsequent Confidentiality NONE
Subsequent Integrity NONE
Subsequent Availability NONE

Description

An issue in the Palo Alto Networks GlobalProtect app enables a non-privileged user to disable the GlobalProtect app without needing the passcode in configurations that allow a user to disable GlobalProtect with a passcode.

Product Status

VersionsAffectedUnaffected
GlobalProtect App 6.2NoneAll
GlobalProtect App 6.1< 6.1.1>= 6.1.1
GlobalProtect App 6.0< 6.0.4>= 6.0.4
GlobalProtect App 5.2< 5.2.13>= 5.2.13
GlobalProtect App 5.1< 5.1.12>= 5.1.12

Required Configuration for Exposure

This is an issue only if "Allow User to Disable GlobalProtect App" is set to "Allow with Passcode". You should check this setting in your firewall web interface (Network > GlobalProtect > Portals > (portal-config) > Agent > (agent-config) > App) and take the appropriate actions as needed.

Severity: MEDIUM, Suggested Urgency: MODERATE

CVSS-B: 5.7 (CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:D/RE:L/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-269 Improper Privilege Management

Solution

This issue is fixed in GlobalProtect app 5.1.12, GlobalProtect app 5.2.13, GlobalProtect app 6.0.4, GlobalProtect app 6.1.1, and all later GlobalProtect app versions.

Workarounds and Mitigations

You can mitigate this issue by setting "Allow User to Disable GlobalProtect App" to "Disallow" or "Allow with Ticket."

Acknowledgments

Palo Alto Networks thanks AIG Red Team and Stephen Collyer for discovering and reporting this issue.

Timeline

Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.