Palo Alto Networks Security Advisories / CVE-2024-9473

CVE-2024-9473 GlobalProtect App: Local Privilege Escalation (PE) Vulnerability

Urgency MODERATE

047910
Severity 5.2 · MEDIUM
Response Effort MODERATE
Recovery USER
Value Density CONCENTRATED
Attack Vector LOCAL
Attack Complexity LOW
Attack Requirements PRESENT
Automatable NO
User Interaction NONE
Product Confidentiality NONE
Product Integrity LOW
Product Availability NONE
Privileges Required LOW
Subsequent Confidentiality HIGH
Subsequent Integrity HIGH
Subsequent Availability HIGH

Description

A privilege escalation vulnerability in the Palo Alto Networks GlobalProtect app on Windows allows a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY/SYSTEM through the use of the repair functionality offered by the .msi file used to install GlobalProtect.

Product Status

VersionsAffectedUnaffected
GlobalProtect App 6.3< 6.3.1-c383 on Windows>= 6.3.1-c383 on Windows
GlobalProtect App 6.2< 6.2.5 on Windows>= 6.2.5 on Windows
GlobalProtect App 6.1< 6.1.4-c720 on Windows, = 6.1.5 on Windows>= 6.1.4-c720 on Windows
GlobalProtect App 6.0< 6.0.10-c823 on Windows>= 6.0.10-c823 on Windows
GlobalProtect App 5.1All on WindowsNone on Windows

Severity: MEDIUM, Suggested Urgency: MODERATE

CVSS-B: 5.2 (CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/AU:N/R:U/V:C/RE:M/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue. However, a proof of concept for this issue is publicly available.

Weakness Type

CWE-250 Execution with Unnecessary Privileges

Solution

This issue is fixed in GlobalProtect app 6.0.10-c823, GlobalProtect app 6.1.4-c720, GlobalProtect app 6.2.5, GlobalProtect app 6.3.1-c383, and will be fixed in the remaining supported versions of GlobalProtect app listed in the Product Status section. Updates will be published to this advisory as they become available.

Customers who want to upgrade should reach out to customer support at https://support.paloaltonetworks.com.

Workarounds and Mitigations

Update the Windows registry on endpoints with an affected version of GlobalProtect to disable all MSI installations (not just GlobalProtect installations). This change is system-wide, so it will affect all users of the system including administrators. The following command will update the registry on an endpoint to disable the repair functionality of any MSI file. It will also prevent using MSI files to install, re-install, or uninstall software. This command must be run with administrative privileges.

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" /v DisableMSI /t REG_DWORD /d 2 /f

Be aware that this will fully prevent use of all MSI files, thereby blocking common IT operations such as software deployments typically done by endpoint management solutions that use MSI files to perform the installations. Use caution before updating this value in the registry. After setting DisableMSI to 2, this value will need to be either deleted or changed to another value in order to use any MSI files. For more information, please see https://learn.microsoft.com/en-us/windows/win32/msi/disablemsi.

Acknowledgments

Palo Alto Networks thanks Michael Baer of SEC Consult Vulnerability Lab and Marc Barrantes of KPMG Spain for discovering and reporting this issue.

Timeline

Added fix version for GlobalProtect app 6.1 to the Product Status table
Added fix version for GlobalProtect app 6.0 to the Product Status table
Added fix version for GlobalProtect app 6.3 to the Product Status table
Added a workaround section
Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.