CVE-2024-5918 PAN-OS: Improper Certificate Validation Enables Impersonation of a Legitimate GlobalProtect User

Palo Alto Networks Security Advisories / CVE-2024-5918

CVE-2024-5918 PAN-OS: Improper Certificate Validation Enables Impersonation of a Legitimate GlobalProtect User

Urgency MODERATE

Severity 1.3 · LOW

Exploit Maturity UNREPORTED

Response Effort MODERATE

Recovery AUTOMATIC

Value Density CONCENTRATED

Attack Vector NETWORK

Attack Complexity LOW

Attack Requirements NONE

Automatable NO

User Interaction NONE

Product Confidentiality NONE

Product Integrity LOW

Product Availability NONE

Privileges Required LOW

Subsequent Confidentiality LOW

Subsequent Integrity LOW

Subsequent Availability LOW

NVD JSON

Published 2024-11-13

Updated 2024-11-13

Reference PAN-216947

Discovered in production use

Description

An improper certificate validation vulnerability in Palo Alto Networks PAN-OS software enables an authorized user with a specially crafted client certificate to connect to an impacted GlobalProtect portal or GlobalProtect gateway as a different legitimate user. This attack is possible only if you "Allow Authentication with User Credentials OR Client Certificate."

Product Status

Versions	Affected	Unaffected
Cloud NGFW	None	All
PAN-OS 11.2	None	All
PAN-OS 11.1	None	All
PAN-OS 11.0	< 11.0.3	>= 11.0.3
PAN-OS 10.2	< 10.2.4-h5	>= 10.2.4-h5
PAN-OS 10.1	< 10.1.11	>= 10.1.11
Prisma Access	None	All

Required Configuration for Exposure

This issue impacts only firewalls on which you configured a GlobalProtect portal or GlobalProtect gateway to use Client Certificate Authentication and you set the "Allow Authentication with User Credentials OR Client Certificate" option to "Yes".

You can verify whether you configured GlobalProtect portal or gateway by checking for entries in your firewall web interface (Network → GlobalProtect → Portals or Network → GlobalProtect → Gateways).

If you do have GlobalProtect portals or gateways in your configuration, then you can verify whether you configured Client Certificate Authentication on these portals and gateways by checking your firewall web interface (Network → GlobalProtect → Portals → (portal-config) → Authentication or Network → GlobalProtect → Gateways → (gateway-config) → Authentication).

Severity: LOW, Suggested Urgency: MODERATE

CVSS-BT: 1.3 / CVSS-B: 5.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:U/AU:N/R:A/V:C/RE:M/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type and Impact

CWE-295 Improper Certificate Validation

CAPEC-151 Identity Spoofing

Solution

This issue is fixed in PAN-OS 10.1.11, PAN-OS 10.2.4-h5, PAN-OS 10.2.5, PAN-OS 11.0.3, and all later PAN-OS versions.

Workarounds and Mitigations

You can mitigate this issue by setting the "Allow Authentication with User Credentials OR Client Certificate" option to "No." Additional information is available here:

CPEs

cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h13:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h12:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h11:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.2:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.1:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.0:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1:-:*:*:*:*:*:*

Show MoreShow Less

Timeline

2024-11-13 Initial publication