CVE-2024-8687

Summary

An information exposure vulnerability exists in Palo Alto Networks PAN-OS software that enables a GlobalProtect end user to learn both the configured GlobalProtect uninstall password and the configured disable or disconnect passcode. After the password or passcode is known, end users can uninstall, disable, or disconnect GlobalProtect even if the GlobalProtect app configuration would not normally permit them to do so.

Affected Software

VendorProductVersion RangeStatus
Palo Alto NetworksPAN-OS11.1.0unaffected
Palo Alto NetworksPAN-OS11.2.0unaffected
Palo Alto NetworksPAN-OS11.0.0 < 11.0.1affected
Palo Alto NetworksPAN-OS10.2.0 < 10.2.4affected
Palo Alto NetworksPAN-OS10.1.0 < 10.1.9affected
Palo Alto NetworksPAN-OS10.0.0 < 10.0.12affected
Palo Alto NetworksPAN-OS9.1.0 < 9.1.16affected
Palo Alto NetworksPAN-OS9.0.0 < 9.0.17affected
Palo Alto NetworksPAN-OS8.1.0 < 8.1.25affected
Palo Alto NetworksGlobalProtect App5.1.0 < 5.1.12affected
Palo Alto NetworksGlobalProtect App5.2.0 < 5.2.13affected
Palo Alto NetworksGlobalProtect App6.0.0 < 6.0.7affected
Palo Alto NetworksGlobalProtect App6.1.0 < 6.1.2affected
Palo Alto NetworksGlobalProtect App6.2.0 < 6.2.1affected
Palo Alto NetworksGlobalProtect App6.3.0unaffected
Palo Alto NetworksCloud NGFWAllunaffected
Palo Alto NetworksPrisma Access10.2.0 < 10.2.9 on PAN-OSaffected

Weaknesses

  • CWE-497: CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere

Workarounds

Change the following two settings (if enabled) to "Allow with Ticket":

  • Network > GlobalProtect > Portals > > Agent > > App > Allow User to Disable GlobalProtect App
  • Network > GlobalProtect > Portals > > Agent > > App > Allow user to disconnect GlobalProtect App

Change the following setting (if enabled) to "Disallow":

  • Network > GlobalProtect > Portals > > Agent > > App > Allow User to Uninstall GlobalProtect App

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References