CVE-2024-5921

Summary

An insufficient certification validation issue in the Palo Alto Networks GlobalProtect app enables attackers to connect the GlobalProtect app to arbitrary servers. This can enable a local non-administrative operating system user or an attacker on the same subnet to install malicious root certificates on the endpoint and subsequently install malicious software signed by the malicious root certificates on that endpoint.

Please subscribe to our RSS feed https://security.paloaltonetworks.com/rss.xml to be alerted to new updates to this and other advisories.

Affected Software

VendorProductVersion RangeStatus
Palo Alto NetworksGlobalProtect App6.3.0 < 6.3.2affected
Palo Alto NetworksGlobalProtect App6.2.0 < 6.2.6affected
Palo Alto NetworksGlobalProtect App6.1.0affected
Palo Alto NetworksGlobalProtect App6.3.0 < 6.3.2affected
Palo Alto NetworksGlobalProtect App6.2.0 < 6.2.6-c857affected
Palo Alto NetworksGlobalProtect App6.1.0affected
Palo Alto NetworksGlobalProtect App6.2.0 < 6.2.1-c31affected
Palo Alto NetworksGlobalProtect App6.1.0affected
Palo Alto NetworksGlobalProtect App6.1.0 < 6.1.6affected
Palo Alto NetworksGlobalProtect App6.1.0 < 6.1.7affected
Palo Alto NetworksGlobalProtect App6.0.0unaffected
Palo Alto NetworksGlobalProtect App5.1.0unaffected
Palo Alto NetworksGlobalProtect App6.2.0 < 6.2.6affected

Weaknesses

  • CWE-295: CWE-295 Improper Certificate Validation

Workarounds

You can mitigate this issue for all platforms ( Windows https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/certifications/enable-and-verify-fips-cc-mode/enable-fips-cc-mode-using-the-windows-registry , macOS https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/certifications/enable-and-verify-fips-cc-mode/enable-fips-cc-mode-using-the-macos-property-list , Linux https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/certifications/enable-and-verify-fips-cc-mode/enable-fips-cc-mode-on-linux-endpoints-redhat , iOS https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/certifications/enable-and-verify-fips-cc-mode/enable-and-verify-fips-cc-mode-using-workspaceone-on-ios-devices , Android https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/certifications/enable-and-verify-fips-cc-mode/enable-and-verify-fips-cc-mode-using-microsoft-intune-on-android-endpoints ) by using the GlobalProtect app 6.0 in FIPS-CC mode or GlobalProtect app 5.1 in FIPS-CC mode. For details, refer to the first "FIPS-CC Certification Validation" table in our documentation https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/certifications/resolve-fips-cc-mode-issues .

Note: this is separate from any FIPS-CC configurations on any GlobalProtect portals or gateways. This workaround is specific to FIPS-CC mode on the GlobalProtect app. GlobalProtect portals or gateways do not need to use FIPS-CC mode as part of this workaround.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References