CVE-2024-5921 GlobalProtect App: Insufficient Certificate Validation Leads to Privilege Escalation
Description
An insufficient certification validation issue in the Palo Alto Networks GlobalProtect app enables attackers to connect the GlobalProtect app to arbitrary servers. This can enable a local non-administrative operating system user or an attacker on the same subnet to install malicious root certificates on the endpoint and subsequently install malicious software signed by the malicious root certificates on that endpoint.
No fix or workaround is available for macOS or Linux at this time. GlobalProtect App for Android is under evaluation. Please subscribe to our RSS feed to be alerted to new updates to this and other advisories.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| GlobalProtect App | All on iOS | None on iOS |
| GlobalProtect App 6.3 | All | None |
| GlobalProtect App 6.2 | < 6.2.6 on Windows | >= 6.2.6 |
| GlobalProtect App 6.2 | All on MacOS, Linux | None on MacOS, Linux |
| GlobalProtect App 6.1 | All | None |
| GlobalProtect App 6.0 | All | None |
| GlobalProtect App 5.1 | All | None |
| GlobalProtect UWP App | All on Windows | None on Windows |
Severity: MEDIUM, Suggested Urgency: MODERATE
An attacker on the same subnet as an end user who can influence DNS traffic can cause the user to connect to a malicious GlobalProtect portal.
CVSS-BT:
5.6 /
CVSS-B:
7.2 (CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:P/AU:N/R:U/V:D/RE:M/U:Amber)
A local user with non-administrative privileges connects to a malicious GlobalProtect portal.
CVSS-BT:
5.6 /
CVSS-B:
7.1 (CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:P/AU:N/R:U/V:D/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue. We are aware of a publicly available conference talk and blog post discussing this issue.
Weakness Type and Impact
CWE-295 Improper Certificate Validation
CAPEC-233 Privilege Escalation
Solution
This issue is fixed in GlobalProtect app 6.2.6 and all later GlobalProtect app 6.2 versions on Windows.
The fix for this vulnerability requires three steps:
- Ensure that all of your GlobalProtect portals use TLS certificate chains that only contain valid X.509v3 certificates,
- Ensure that the the TLS certificate chains used by the GlobalProtect portals are added to a certificate store in your operating system (specified using CERTSTORE and CERTLOCATION),
- Install a fixed version of GlobalProtect using the FULLCHAINCERTVERIFY="yes" as indicated below. This setting enforces strict X.509v3 verification checks on the certificate provided by the GlobalProtect portal.
Important: if your GlobalProtect portals do not use valid X.509V3 TLS certificate chains, this will result in TLS verification failures. In this case, refer to the Server Certificate Validation section of our documentation for how to resolve FIPS-CC mode issues.
Install GlobalProtect with the pre-deployment key FULLCHAINCERTVERIFY set to Yes:
msiexec.exe /i GlobalProtect64.msi FULLCHAINCERTVERIFY="yes"
Optionally, to specify the certificate store and the location within the certificate store that is used to load the certificates for certificate validation, install GlobalProtect using the following parameters:
msiexec.exe /i GlobalProtect64.msi FULLCHAINCERTVERIFY="yes" CERTSTORE="machine" CERTLOCATION="ROOT"
Valid options for CERTSTORE are "machine" (recommended) and "user."
Valid options for CERTLOCATION are "ROOT" (recommended), "MY", "TrustedPublisher", "CA", "trust", "AuthRoot", "SmartCardRoot", and "UserdDS".
If either CERTSTORE or CERTLOCATION is unspecified, the GlobalProtect app will load the certificates from the root of the machine store by default.
Note: a solution involving Windows registry modifications rather than MSI command line options is under evaluation. More information will be provided in a future version of this advisory.
Workarounds and Mitigations
You can mitigate this issue by using the GlobalProtect app in FIPS-CC mode. For details, review the documentation on how to enable and verify FIPS-CC mode.
Note: this is separate from any FIPS-CC configurations on any GlobalProtect portals or gateways. This workaround is specific to FIPS-CC mode on the GlobalProtect app. GlobalProtect portals or gateways do not need to use FIPS-CC mode as part of this workaround.
Acknowledgments
Frequently Asked Questions
Q. What does this fix do?
The fix for this vulnerability adds three configuration options to the installer: FULLCHAINCERTVERIFY, CERTSTORE, and CERTLOCATION. Collectively, these options configure the GlobalProtect app to enforce strict X.509v3 verification checks on the certificate provided by GlobalProtect portals.
Q. How do I troubleshoot issues with my TLS certificates?
Please use the Server Certificate Validation section of our documentation for how to resolve FIPS-CC mode issues.
CPEs
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.1:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.0:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.5:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.4:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.3:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.2:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.1:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.0:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.1.5:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.1.4:-:*:*:*:*:*:*