==================================================================== CERT-Renater Note d'Information No. 2020/VULN192 _____________________________________________________________________ DATE : 15/04/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running GlobalProtect Agent versions prior to 5.0.9, 5.1.1, 4.1.13. ===================================================================== https://securityadvisories.paloaltonetworks.com/CVE-2020-1987 https://securityadvisories.paloaltonetworks.com/CVE-2020-1988 https://securityadvisories.paloaltonetworks.com/CVE-2020-1989 _____________________________________________________________________ Palo Alto Networks Security Advisories / CVE-2020-1987 CVE-2020-1987 GlobalProtect Agent: VPN cookie local information disclosure Severity 2.8 . LOW Attack Vector LOCAL Attack Complexity LOW Privileges Required LOW User Interaction REQUIRED Scope UNCHANGED Confidentiality Impact LOW Integrity Impact NONE Availability Impact NONE NVD JSON Published: 2020-04-08 Updated: 2020-04-08 Ref#: GPC-9393 Description An information exposure vulnerability in the logging component of Palo Alto Networks GlobalProtect Agent allows a local authenticated user to read VPN cookie information when the troubleshooting logging level is set to "Dump". This issue affects Palo Alto Networks GlobalProtect Agent 5.0 versions prior to 5.0.9; 5.1 versions prior to 5.1.1. Product Status GlobalProtect Agent Versions Affected Unaffected 5.0 < 5.0.9 >= 5.0.9 5.1 < 5.1.1 >= 5.1.1 Severity: LOW CVSSv3.1 Base Score: 2.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N) Solution This issue is fixed in GlobalProtect Agent 5.0.9, GlobalProtect Agent 5.1.1 and all later versions. Workarounds and Mitigations Acknowledgements Palo Alto Networks thanks Ahmet Hrnjadovic for discovering and reporting this issue. Timeline 2020-04-08 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. _____________________________________________________________________ Palo Alto Networks Security Advisories / CVE-2020-1988 CVE-2020-1988 GlobalProtect Agent: Local privilege escalation due to an unquoted search path vulnerability Severity 4.2 . MEDIUM Attack Vector LOCAL Attack Complexity LOW Privileges Required HIGH User Interaction NONE Scope UNCHANGED Confidentiality Impact LOW Integrity Impact LOW Availability Impact LOW NVD JSON Published: 2020-04-08 Updated: 2020-04-08 Ref#: GPC-9320 Description An unquoted search path vulnerability in the Windows release of GlobalProtect Agent allows an authenticated local user with file creation privileges on the root of the OS disk (C:\) or to Program Files directory to gain system privileges. This issue affects Palo Alto Networks GlobalProtect Agent 5.0 versions before 5.0.5; 4.1 versions before 4.1.13 on Windows; Product Status GlobalProtect Agent Versions Affected Unaffected 5.0 < 5.0.5 on Windows >= 5.0.5 on Windows 4.1 < 4.1.13 on Windows >= 4.1.13 on Windows Required Configuration This issue only affects Windows systems where local users are configured with file creation privileges to the root of the OS disk (C:\) or 'Program Files' directory. Severity: MEDIUM CVSSv3.1 Base Score: 4.2 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L) Solution This issue is fixed in GlobalProtect Agent 5.0.5, GlobalProtect Agent 4.1.13 and all later versions. Workarounds and Mitigations Do not grant file creation privileges on the root of the OS disk (C:\) or 'Program Files' directory to unprivileged users. Acknowledgements Palo Alto Networks thanks Ratnesh Pandey of Bromium and Matthew Batten for discovering and reporting this issue. Timeline 2020-04-08 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. _____________________________________________________________________ Palo Alto Networks Security Advisories / CVE-2020-1989 CVE-2020-1989 GlobalProtect Agent: Incorrect privilege assignment allows local privilege escalation Severity 7 . HIGH Attack Vector LOCAL Attack Complexity HIGH Privileges Required LOW User Interaction NONE Scope UNCHANGED Confidentiality Impact HIGH Integrity Impact HIGH Availability Impact HIGH NVD JSON Published: 2020-04-08 Updated: 2020-04-08 Ref#: GPC-9358 Description An incorrect privilege assignment vulnerability when writing application-specific files in the Palo Alto Networks GlobalProtect Agent for Linux on ARM platform allows a local authenticated user to gain root privileges on the system. This issue affects Palo Alto Networks GlobalProtect Agent for Linux 5.0 versions before 5.0.8; 5.1 versions before 5.1.1. Product Status GlobalProtect Agent Versions Affected Unaffected 5.0 < 5.0.8 on Linux ARM >= 5.0.8 on Linux ARM 5.1 < 5.1.1 on Linux ARM >= 5.1.1 on Linux ARM Severity: HIGH CVSSv3.1 Base Score: 7 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) Solution This issue is fixed in GlobalProtect Agent 5.0.8, GlobalProtect Agent 5.1.1 and all later versions. Workarounds and Mitigations There are no viable workarounds for this issue. Timeline 2020-04-08 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================