======================================================================

                                  CERT-Renater

                       Note d'Information No. 2024/VULN500
_____________________________________________________________________

DATE                : 28/11/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running GlobalProtect App.

=====================================================================
https://security.paloaltonetworks.com/CVE-2024-5921
_____________________________________________________________________

CVE-2024-5921 GlobalProtect App: Insufficient Certificate Validation
Leads to Privilege Escalation

Urgency MODERATE


Severity 5.6 · MEDIUM
Exploit Maturity POC
Response Effort MODERATE
Recovery USER
Value Density DIFFUSE
Attack Vector ADJACENT
Attack Complexity LOW
Attack Requirements PRESENT
Automatable NO
User Interaction PASSIVE
Product Confidentiality NONE
Product Integrity HIGH
Product Availability NONE
Privileges Required NONE
Subsequent Confidentiality HIGH
Subsequent Integrity HIGH
Subsequent Availability HIGH
NVD JSON
Published 2024-11-26
Updated 2024-11-27
Reference GPC-19860, GPC-19861
Discovered externally


Description

An insufficient certification validation issue in the Palo Alto
Networks GlobalProtect app enables attackers to connect the
GlobalProtect app to arbitrary servers. This can enable a
local non-administrative operating system user or an attacker
on the same subnet to install malicious root certificates on
the endpoint and subsequently install malicious software
signed by the malicious root certificates on that endpoint.

GlobalProtect App for Android is under evaluation. Please
subscribe to our RSS feed to be alerted to new updates to
this and other advisories.


Product Status

Versions	Affected	Unaffected

GlobalProtect App 6.3	All	None
GlobalProtect App 6.2	< 6.2.6 on Windows	>= 6.2.6* on Windows
GlobalProtect App 6.2	All on MacOS, Linux	None on MacOS, Linux
GlobalProtect App 6.1	All	None
GlobalProtect App 6.0	None in FIPS-CC mode	All in FIPS-CC mode
GlobalProtect App 5.1	None in FIPS-CC mode	All in FIPS-CC mode
GlobalProtect iOS App	All	None
GlobalProtect UWP App	All	None

* In addition to the software updates listed above,
additional steps are required to protect against this
vulnerability. See the Solution section for full details.

Severity: MEDIUM, Suggested Urgency: MODERATE

An attacker on the same subnet as an end user who can
influence DNS traffic can cause the user to connect to
a malicious GlobalProtect portal.
CVSS-BT: 5.6 / CVSS-B: 7.2 
(CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:P/AU:N/R:U/V:D/RE:M/U:Amber)

A local user with non-administrative privileges connects
to a malicious GlobalProtect portal.
CVSS-BT: 5.6 / CVSS-B: 7.1 
(CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:P/AU:N/R:U/V:D/RE:M/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation f this 
issue. We are aware of a publicly available conference
talk and blog posts discussing this issue. A proof of concept
for this issue is also publicly available.

Weakness Type and Impact

CWE-295 Improper Certificate Validation

CAPEC-233 Privilege Escalation
Solution

This issue is fixed in GlobalProtect app 6.2.6 and all later
GlobalProtect app 6.2 versions on Windows. Additional fixes
are under development and will be made available for the
remaining platforms (macOS, Linux, iOS, and Android).

The fix for this vulnerability requires three steps:

     Ensure that all of your GlobalProtect portals use TLS
certificate chains that only contain valid X.509v3 certificates,
     Ensure that the the TLS certificate chains used by
the GlobalProtect portals are added to the root certificate
store in your operating system,
     Install a fixed version of GlobalProtect using one of
the deployment options below. This setting enforces strict
X.509v3 verification checks on the certificate provided by
the GlobalProtect portal.

Note: Prisma Access customers using portals with a
*.gpcloudservice.com domain name already have valid TLS
certificate chains. The root certificate for these portals
is from GoDaddy, which is trusted by default in Windows, , RHEL, Ubuntu, 
iOS, and Android. Therefore, Prisma Access
customers using a GlobalProtect portal with a
*.gpcloudservice.com domain name should only need to
perform step 3 above.

Important: if your GlobalProtect portals do not use valid
X.509V3 TLS certificate chains, this will result in TLS
verification failures. To generate a GlobalProtect portal
*certificate that can be used with a fixed version of
GlobalProtect app, refer to the first "FIPS-CC
Certification Validation" table in our documentation.

Solution for new and existing GlobalProtect app installation
on Windows

Customers can use their endpoint mobile device management
(MDM) tools to apply the following changes.

     Install a fixed version of GlobalProtect app.
     Update the following registry key with the specified recommended 
values:
     HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings
     cert-store: machine
     cert-location: ROOT
     full-chain-cert-verify: yes
     To apply this registry change, restart the operating system.

Alternate solution for new GlobalProtect app installation
on Windows

Install GlobalProtect with the pre-deployment key
FULLCHAINCERTVERIFY set to Yes:

     msiexec.exe /i GlobalProtect64.msi FULLCHAINCERTVERIFY="yes"


Workarounds and Mitigations

You can mitigate this issue for all platforms (Windows, macOS,
Linux, iOS, Android) by using the GlobalProtect app 6.0 in
FIPS-CC mode or GlobalProtect app 5.1 in FIPS-CC mode. For
details, refer to the first "FIPS-CC Certification Validation"
table in our documentation.

Note: this is separate from any FIPS-CC configurations on any
GlobalProtect portals or gateways. This workaround is
specific to FIPS-CC mode on the GlobalProtect app.
GlobalProtect portals or gateways do not need to use
FIPS-CC mode as part of this workaround.

Acknowledgments
Palo Alto Networks thanks Maxime ESCOURBIAC, Michelin CERT,
Yassine BENGANA, Abicom for Michelin CERT, and Richard
Warren and David Cash of AmberWolf for discovering and
reporting the issue.

Frequently Asked Questions
Q. What does the fix for GlobalProtect on Windows do?

     The fix for this vulnerability adds three configuration
options to the installer (CERTSTORE, CERTLOCATION, and
FULLCHAINCERTVERIFY) and Windows registry (cert-store,
cert-location, full-chain-cert-verify). Collectively,
these options configure the GlobalProtect app to enforce
strict X.509v3 verification checks on the certificate
chain provided by GlobalProtect portals. In addition,
FIPS-CC certificate verification checks are now
performed when connecting to GlobalProtect portals.

Q. How do I troubleshoot issues with my TLS certificates?

     Refer to the first "FIPS-CC Certification Validation"
table in our documentation.

Q. I use client-based certificate authentication. Am I
affected?

     This is unrelated to client certificate authentication.
This vulnerability is related to the TLS server
certificate presented by the GlobalProtect portal.

Q. If I set "Allow User to Change Portal Address" in the
GlobalProtect portal settings to "No", is that a valid
workaround?

     No. This vulnerability can be exploited by an attacker
who is not on the user's system. An attacker on the same
subnet as a target user can influence DNS traffic on the
subnet, causing the GlobalProtect app on the user's system
to connect to a malicious GlobalProtect portal.

Q. Can I use FIPS-CC in a version of GlobalProtect app
other than GlobalProtect app 5.1 or GlobalProtect app 6.0?

     No. FIPS-CC is only certified for GlobalProtect app
5.1 and GlobalProtect app 6.0. A prior version of this
advisory indicated that this was possible for versions
other than GlobalProtect app 5.1 and GlobalProtect app
6.0. This has been corrected.

Q. I already installed GlobalProtect app 6.2.6 on Windows
without the special MSI command line options. Do I have
to re-install?

     No. Refer to the "Solution for new and existing
GlobalProtect app installation on Windows" section for
guidance on registry updates that you can apply after
installing GlobalProtect app 6.2.6 on Windows.

CPEs

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.1:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.0:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.5:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.4:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.3:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.2:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.1:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.0:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.1.5:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.1.4:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.1.3:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.1.2:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.1.1:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.1.0:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.0.11:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.0.10:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.0.8:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.0.7:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.0.6:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.0.5:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.0.4:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.0.3:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.0.2:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.0.1:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.0.0:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:5.1.12:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:5.1.11:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:5.1.10:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:5.1.9:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:5.1.8:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:5.1.7:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:5.1.6:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:5.1.5:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:5.1.4:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:5.1.3:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:5.1.2:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:5.1.1:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:5.1.0:-:*:*:*:*:*:*



Timeline

2024-11-27
Added registry-based deployment option to solution, added frequently 
asked questions

2024-11-26
Clarified impact, solution, and added frequently asked questions

2024-11-26
Initial publication


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================