CVE-2024-3388 PAN-OS: User Impersonation in GlobalProtect SSL VPN
Description
A vulnerability in the GlobalProtect Gateway in Palo Alto Networks PAN-OS software enables an authenticated attacker to impersonate another user and send network packets to internal assets. However, this vulnerability does not allow the attacker to receive response packets from those internal assets.
Product Status
Versions | Affected | Unaffected |
---|---|---|
Cloud NGFW | None | All |
PAN-OS 11.1 | None | All |
PAN-OS 11.0 | < 11.0.3 | >= 11.0.3 |
PAN-OS 10.2 | < 10.2.7-h3 | >= 10.2.7-h3 |
PAN-OS 10.1 | < 10.1.11-h4 | >= 10.1.11-h4 |
PAN-OS 9.1 | < 9.1.17 | >= 9.1.17 |
PAN-OS 9.0 | < 9.0.17-h4 | >= 9.0.17-h4 |
PAN-OS 8.1 | < 8.1.26 | >= 8.1.26 |
Prisma Access | < 10.2.4 | >= 10.2.4 |
Required Configuration for Exposure
This issue applies only to PAN-OS firewall configurations with an enabled GlobalProtect gateway and where you are permitting use of the SSL VPN either as a fallback or as the only available tunnel mode. You should verify whether you have a configured GlobalProtect gateway by checking for entries in your firewall web interface (Network > GlobalProtect > Gateways). You can also verify:
- Whether SSL VPN fallback is permitted (check to see if the "Disable Automatic Restoration of SSL VPN" option is disabled in the GlobalProtect Gateway Configuration dialog by selecting Agent > Connection Settings) or;
- Whether SSL VPN is the only available tunnel mode (check to see if "Enable IPSec" is disabled (unchecked) in the GlobalProtect Gateway Configuration dialog by selecting Agent > Tunnel Settings).
By default, both PAN-OS firewalls and Prisma Access use the SSL VPN only when the endpoint fails to successfully establish an IPSec tunnel.
Severity: MEDIUM, Suggested Urgency: MODERATE
CVSS-B: 5.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:L/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type
CWE-269 Improper Privilege Management
CWE-863 Incorrect Authorization
Solution
This issue is fixed in PAN-OS 8.1.26, PAN-OS 9.0.17-h4, PAN-OS 9.1.17, PAN-OS 10.1.11-h4, PAN-OS 10.2.7-h3, PAN-OS 11.0.3, and all later PAN-OS versions. This issue is fixed in Prisma Access 10.2.4 and later.
Workarounds and Mitigations
You can enable the "Disable Automatic Restoration of SSL VPN" (Network > GlobalProtect Gateways > <gateway-config> > GlobalProtect Gateway Configuration > Agent > Connection Settings) on PAN-OS firewalls with the GlobalProtect feature enabled to mitigate this vulnerability.