CVE-2024-5921 GlobalProtect App: Insufficient Certificate Validation Leads to Privilege Escalation
Description
An insufficient certification validation issue in the Palo Alto Networks GlobalProtect app enables attackers to connect the GlobalProtect app to arbitrary servers. This can enable a local non-administrative operating system user or an attacker on the same subnet to install malicious root certificates on the endpoint and subsequently install malicious software signed by the malicious root certificates on that endpoint.
Please subscribe to our RSS feed to be alerted to new updates to this and other advisories.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| GlobalProtect App | All on Windows UWP | None on Windows UWP |
| GlobalProtect App 6.3 | < 6.3.2* on Windows < 6.3.2* on macOS | >= 6.3.2* on Windows >= 6.3.2* on macOS |
| GlobalProtect App 6.2 | < 6.2.6* on Windows < 6.2.6-HF* on macOS < 6.2.1-HF2* on Linux | >= 6.2.6* on Windows >= 6.2.6-HF* on macOS (ETA: middle of Jan) >= 6.2.1-HF2* on Linux (ETA: end of Jan) |
| GlobalProtect App 6.1 | All on Windows All on macOS All on Linux All on Android < 6.1.7* on iOS | None on Windows None on macOS None on Linux None on Android >= 6.1.7* on iOS (ETA: end of Jan) |
| GlobalProtect App 6.0 | None in FIPS-CC mode | All in FIPS-CC mode |
| GlobalProtect App 5.1 | None in FIPS-CC mode | All in FIPS-CC mode |
* In addition to the software updates listed above, additional steps are required to protect against this vulnerability. See the Solution section for full details.
Required Configuration for Exposure
No special configuration is required to be affected by this issue.
Severity: MEDIUM, Suggested Urgency: MODERATE
An attacker on the same subnet as an end user who can influence DNS traffic can cause the user to connect to a malicious GlobalProtect portal.
CVSS-BT:
5.6 /
CVSS-B:
7.2 (CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:P/AU:N/R:U/V:D/RE:M/U:Amber)
A local user with non-administrative privileges connects to a malicious GlobalProtect portal.
CVSS-BT:
5.6 /
CVSS-B:
7.1 (CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:P/AU:N/R:U/V:D/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue. We are aware of a publicly available conference talk and blog posts discussing this issue. A proof of concept for this issue is also publicly available.
Weakness Type and Impact
CWE-295 Improper Certificate Validation
CAPEC-233 Privilege Escalation
Solution
This issue is fixed in GlobalProtect app 6.2.6 on Windows, GlobalProtect app 6.3.2 on Windows and macOS, and all later GlobalProtect app versions. Additional fixes are under development and will be made available for the remaining platforms (Linux, iOS, and Android).
The fix for this vulnerability requires three steps:- Ensure that all of your GlobalProtect portals use TLS certificate chains that meet the criteria specified in the "FIPS-CC Certification Validation" table in our documentation.
- Ensure that the TLS certificate chains used by the GlobalProtect portals are added to the root certificate store in your operating system.
- Install a fixed version of GlobalProtect using one of the deployment options below. This setting enforces strict X.509v3 verification checks on the certificate provided by the GlobalProtect portal.
Note: Prisma Access customers using portals with a *.gpcloudservice.com domain name already have valid TLS certificate chains. The root certificate for these portals is from GoDaddy, which is trusted by default in Windows, macOS, RHEL, Ubuntu, iOS, and Android. Therefore, Prisma Access customers using a GlobalProtect portal with a *.gpcloudservice.com domain name should only need to perform step 3 above.
Important: If your GlobalProtect portals do not use valid X.509V3 TLS certificate chains, this will result in TLS verification failures. To generate a GlobalProtect portal certificate that can be used with a fixed version of GlobalProtect app, refer to the first "FIPS-CC Certification Validation" table in our documentation.
Warning: Performance Concern: Some customers reported problems connecting to Portals and Gateways when this solution was implemented in certain situations. This is due to certificate providers that rate limit requests for Online Certificate Status Protocol (OCSP) and certificate revocation list (CRL) checks. This happens when multiple users connect to GlobalProtect Portals from a single public IP (such as NAT) around the same time, such as when hundreds or thousands of end users connect around the start of a workday from a single office.
Solution for new and existing GlobalProtect app installations on Windows
Customers can use their endpoint mobile device management (MDM) tools to apply the following changes.
- Install a fixed version of GlobalProtect app.
- Update the following registry key with the specified recommended values (these values have the REG_SZ type):
[HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings]
"cert-store"="machine"
"cert-location"="ROOT"
"full-chain-cert-verify"="yes" - To apply this registry change, restart Windows.
Alternate solution for new GlobalProtect app installations on Windows
Install the GlobalProtect app with the pre-deployment key FULLCHAINCERTVERIFY set to Yes:
msiexec.exe /i GlobalProtect64.msi FULLCHAINCERTVERIFY="yes"Note: This command will add the registry values listed in the previous section (no additional MSI options are needed).
Solution for new and existing GlobalProtect app installations on macOS
- Install a fixed version of the GlobalProtect app.
- Use Xcode to edit the com.paloaltonetworks.GlobalProtect.settings.plist file in /Library/Preferences.
- Add a "Settings" section if it does not exist within the GlobalProtect section.
- Within the "Settings" section, add the full-chain-cert-verify key and set the string value to yes.
<key>GlobalProtect</key>
<dict>
(removed for brevity)
<key>Settings</key>
<dict>
<key>full-chain-cert-verify</key>
<string>yes</string>
</dict>
</dict> - Restart macOS.
Workarounds and Mitigations
You can mitigate this issue for all platforms (Windows, macOS, Linux, iOS, Android) by using the GlobalProtect app 6.0 in FIPS-CC mode or GlobalProtect app 5.1 in FIPS-CC mode. For details, refer to the first "FIPS-CC Certification Validation" table in our documentation.
Note: this is separate from any FIPS-CC configurations on any GlobalProtect portals or gateways. This workaround is specific to FIPS-CC mode on the GlobalProtect app. GlobalProtect portals or gateways do not need to use FIPS-CC mode as part of this workaround.
Acknowledgments
Frequently Asked Questions
Q. What does the fix for the GlobalProtect app on Windows do?
The fix for this vulnerability adds three configuration options to the installer (CERTSTORE, CERTLOCATION, and FULLCHAINCERTVERIFY) and Windows registry (cert-store, cert-location, full-chain-cert-verify). Collectively, these options configure the GlobalProtect app to enforce strict X.509v3 verification checks on the certificate chain provided by GlobalProtect portals. In addition, FIPS-CC certificate verification checks are now performed when connecting to GlobalProtect portals.
Note: Documentation for the new installer options and registry settings will be published to the Deploy App Settings to Windows Endpoints documentation.
Q. How do I troubleshoot issues with my TLS certificates?
Refer to the "Troubleshoot CVE-2024-5921 Issues" knowledge base article.
Q. I use client-based certificate authentication. Am I affected?
This is unrelated to client certificate authentication. This vulnerability is related to the TLS server certificate presented by the GlobalProtect portal.
Q. If I set "Allow User to Change Portal Address" in the GlobalProtect portal settings to "No", is that a valid workaround?
No. This vulnerability can be exploited by an attacker who is not on the user's system. An attacker on the same subnet as a target user can influence DNS traffic on the subnet, causing the GlobalProtect app on the user's system to connect to a malicious GlobalProtect portal.
Q. Can I use FIPS-CC in a version of the GlobalProtect app other than GlobalProtect app 5.1 or GlobalProtect app 6.0?
No. FIPS-CC is only certified for GlobalProtect app 5.1 and GlobalProtect app 6.0. A prior version of this advisory indicated that this was possible for versions other than GlobalProtect app 5.1 and GlobalProtect app 6.0. This has been corrected.
Q. I already installed GlobalProtect app 6.2.6 on Windows without the special MSI command line options. Do I have to re-install?
No. Refer to the "Solution for new and existing GlobalProtect app installation on Windows" section for guidance on registry updates that you can apply after installing GlobalProtect app 6.2.6 on Windows.
Q. How do I know if I ran the MSI installer correctly?
After installing, check the Windows registry under the HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings key. If full-chain-cert-verify is set to "yes", the installer was run correctly.
Note: Documentation for the new installer options and registry settings will be published to the Deploy App Settings to Windows Endpoints documentation.
Q. If I'm using self-signed certificates in my GlobalProtect portals, will the GlobalProtect app still be affected?
Yes. A software update listed in the Solution section is still required. If the self-signed certificate meets the criteria specified in the "FIPS-CC Certification Validation" table in our documentation, the self-signed certificate will be validated.