Palo Alto Networks Security Advisories / CVE-2024-3388

CVE-2024-3388 PAN-OS: User Impersonation in GlobalProtect SSL VPN

Urgency MODERATE

047910
Severity 5.1 · MEDIUM
Response Effort LOW
Recovery AUTOMATIC
Value Density DIFFUSE
Attack Vector NETWORK
Attack Complexity LOW
Attack Requirements NONE
Automatable NO
User Interaction PASSIVE
Product Confidentiality NONE
Product Integrity LOW
Product Availability NONE
Privileges Required LOW
Subsequent Confidentiality NONE
Subsequent Integrity NONE
Subsequent Availability NONE

Description

A vulnerability in the GlobalProtect Gateway in Palo Alto Networks PAN-OS software enables an authenticated attacker to impersonate another user and send network packets to internal assets. However, this vulnerability does not allow the attacker to receive response packets from those internal assets.

Product Status

VersionsAffectedUnaffected
Cloud NGFW NoneAll
PAN-OS 11.1NoneAll
PAN-OS 11.0< 11.0.3>= 11.0.3
PAN-OS 10.2< 10.2.7-h3>= 10.2.7-h3
PAN-OS 10.1< 10.1.11-h4>= 10.1.11-h4
PAN-OS 9.1< 9.1.17>= 9.1.17
PAN-OS 9.0< 9.0.17-h4>= 9.0.17-h4
PAN-OS 8.1< 8.1.26>= 8.1.26
Prisma Access < 10.2.4>= 10.2.4

Required Configuration for Exposure

This issue applies only to PAN-OS firewall configurations with an enabled GlobalProtect gateway and where you are permitting use of the SSL VPN either as a fallback or as the only available tunnel mode. You should verify whether you have a configured GlobalProtect gateway by checking for entries in your firewall web interface (Network > GlobalProtect > Gateways). You can also verify:

- Whether SSL VPN fallback is permitted (check to see if the "Disable Automatic Restoration of SSL VPN" option is disabled in the GlobalProtect Gateway Configuration dialog by selecting Agent > Connection Settings) or;

- Whether SSL VPN is the only available tunnel mode (check to see if "Enable IPSec" is disabled (unchecked) in the GlobalProtect Gateway Configuration dialog by selecting Agent > Tunnel Settings).

By default, both PAN-OS firewalls and Prisma Access use the SSL VPN only when the endpoint fails to successfully establish an IPSec tunnel.

Severity: MEDIUM, Suggested Urgency: MODERATE

CVSS-B: 5.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:L/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-269 Improper Privilege Management

CWE-863 Incorrect Authorization

Solution

This issue is fixed in PAN-OS 8.1.26, PAN-OS 9.0.17-h4, PAN-OS 9.1.17, PAN-OS 10.1.11-h4, PAN-OS 10.2.7-h3, PAN-OS 11.0.3, and all later PAN-OS versions. This issue is fixed in Prisma Access 10.2.4 and later.

Workarounds and Mitigations

You can enable the "Disable Automatic Restoration of SSL VPN" (Network > GlobalProtect Gateways > <gateway-config> > GlobalProtect Gateway Configuration > Agent > Connection Settings) on PAN-OS firewalls with the GlobalProtect feature enabled to mitigate this vulnerability.

Acknowledgments

Palo Alto Networks thanks Ta-Lun Yen of TXOne Networks for discovering and reporting this issue.

Timeline

Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.