CVE-2024-5921
CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/AU:N/R:U/V:D/RE:M/U:Amber
Summary
An insufficient certification validation issue in the Palo Alto Networks GlobalProtect app enables attackers to connect the GlobalProtect app to arbitrary servers. This can enable a local non-administrative operating system user or an attacker on the same subnet to install malicious root certificates on the endpoint and subsequently install malicious software signed by the malicious root certificates on that endpoint.
Please subscribe to our RSS feed https://security.paloaltonetworks.com/rss.xml to be alerted to new updates to this and other advisories.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Palo Alto Networks | GlobalProtect App | 6.3.0 < 6.3.2 | affected |
| Palo Alto Networks | GlobalProtect App | 6.2.0 < 6.2.6 | affected |
| Palo Alto Networks | GlobalProtect App | 6.1.0 | affected |
| Palo Alto Networks | GlobalProtect App | 6.3.0 < 6.3.2 | affected |
| Palo Alto Networks | GlobalProtect App | 6.2.0 < 6.2.6-c857 | affected |
| Palo Alto Networks | GlobalProtect App | 6.1.0 | affected |
| Palo Alto Networks | GlobalProtect App | 6.2.0 < 6.2.1-c31 | affected |
| Palo Alto Networks | GlobalProtect App | 6.1.0 | affected |
| Palo Alto Networks | GlobalProtect App | 6.1.0 < 6.1.6 | affected |
| Palo Alto Networks | GlobalProtect App | 6.1.0 < 6.1.7 | affected |
| Palo Alto Networks | GlobalProtect App | 6.0.0 | unaffected |
| Palo Alto Networks | GlobalProtect App | 5.1.0 | unaffected |
| Palo Alto Networks | GlobalProtect App | 6.2.0 < 6.2.6 | affected |
Weaknesses
- CWE-295: CWE-295 Improper Certificate Validation
Workarounds
You can mitigate this issue for all platforms ( Windows https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/certifications/enable-and-verify-fips-cc-mode/enable-fips-cc-mode-using-the-windows-registry , macOS https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/certifications/enable-and-verify-fips-cc-mode/enable-fips-cc-mode-using-the-macos-property-list , Linux https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/certifications/enable-and-verify-fips-cc-mode/enable-fips-cc-mode-on-linux-endpoints-redhat , iOS https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/certifications/enable-and-verify-fips-cc-mode/enable-and-verify-fips-cc-mode-using-workspaceone-on-ios-devices , Android https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/certifications/enable-and-verify-fips-cc-mode/enable-and-verify-fips-cc-mode-using-microsoft-intune-on-android-endpoints ) by using the GlobalProtect app 6.0 in FIPS-CC mode or GlobalProtect app 5.1 in FIPS-CC mode. For details, refer to the first "FIPS-CC Certification Validation" table in our documentation https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/certifications/resolve-fips-cc-mode-issues .
Note: this is separate from any FIPS-CC configurations on any GlobalProtect portals or gateways. This workaround is specific to FIPS-CC mode on the GlobalProtect app. GlobalProtect portals or gateways do not need to use FIPS-CC mode as part of this workaround.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
References
- https://security.paloaltonetworks.com/CVE-2024-5921
- https://blog.amberwolf.com/blog/2024/november/palo-alto-globalprotect—code-execution-and-privilege-escalation-via-malicious-vpn-server-cve-2024-5921/
- https://github.com/AmberWolfCyber/NachoVPN
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.