Palo Alto Networks Security Advisories / CVE-2024-8687

CVE-2024-8687 PAN-OS: Cleartext Exposure of GlobalProtect Portal Passcodes

047910
Severity 6.9 · MEDIUM
Urgency MODERATE
Response Effort MODERATE
Recovery AUTOMATIC
Value Density DIFFUSE
Attack Vector LOCAL
Attack Complexity LOW
Attack Requirements NONE
Automatable NO
User Interaction NONE
Product Confidentiality HIGH
Product Integrity NONE
Product Availability LOW
Privileges Required LOW
Subsequent Confidentiality NONE
Subsequent Integrity NONE
Subsequent Availability NONE

Description

An information exposure vulnerability exists in Palo Alto Networks PAN-OS software that enables a GlobalProtect end user to learn both the configured GlobalProtect uninstall password and the configured disable or disconnect passcode. After the password or passcode is known, end users can uninstall, disable, or disconnect GlobalProtect even if the GlobalProtect app configuration would not normally permit them to do so.

Product Status

VersionsAffectedUnaffected
Cloud NGFW NoneAll
GlobalProtect App 6.3NoneAll
GlobalProtect App 6.2< 6.2.1>= 6.2.1
GlobalProtect App 6.1< 6.1.2>= 6.1.2
GlobalProtect App 6.0< 6.0.7>= 6.0.7
GlobalProtect App 5.2< 5.2.13>= 5.2.13
GlobalProtect App 5.1< 5.1.12>= 5.1.12
PAN-OS 11.2NoneAll
PAN-OS 11.1NoneAll
PAN-OS 11.0< 11.0.1>= 11.0.1
PAN-OS 10.2< 10.2.4>= 10.2.4
PAN-OS 10.1< 10.1.9>= 10.1.9
PAN-OS 10.0< 10.0.12>= 10.0.12
PAN-OS 9.1< 9.1.16>= 9.1.16
PAN-OS 9.0< 9.0.17>= 9.0.17
PAN-OS 8.1< 8.1.25>= 8.1.25
Prisma Access < 10.2.9 on PAN-OS>= 10.2.9 on PAN-OS

Required Configuration for Exposure

Impacted systems are those on which any of the following features are enabled:

* Network > GlobalProtect > Portals > <portal-config> > Agent > <agent-config> > App > Allow User to Disable GlobalProtect App > Allow with Passcode

* Network > GlobalProtect > Portals > <portal-config> > Agent > <agent-config> > App > Allow user to disconnect GlobalProtect App > Allow with Passcode

* Network > GlobalProtect > Portals > <portal-config> > Agent > <agent-config> > App > Allow User to Uninstall GlobalProtect App > Allow with Password

Severity: MEDIUM

CVSSv4.0 Base Score: 6.9 (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:M/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere

Solution

This issue is fixed in PAN-OS 8.1.25, PAN-OS 9.0.17, PAN-OS 9.1.16, PAN-OS 10.0.12, PAN-OS 10.1.9, PAN-OS 10.2.4, PAN-OS 11.0.1, and all later PAN-OS versions. It is also fixed in Prisma Access 10.2.9 and all later Prisma Access versions. To maintain GlobalProtect app functionality for the vulnerable features, we released a corresponding software update for GlobalProtect app 5.1.12, GlobalProtect app 5.2.13, GlobalProtect app 6.0.7, GlobalProtect app 6.1.2, and GlobalProtect app 6.2.1, and all later GlobalProtect app versions.

To maintain the ability for end users to use the uninstall password feature and the disable or disconnect passcode feature, you must ensure that you upgrade all GlobalProtect app deployments to a fixed version before you upgrade your PAN-OS software to a fixed version.

All fixed versions of GlobalProtect are backwards compatible with vulnerable versions of PAN-OS software. However, fixed versions of PAN-OS software are not backwards compatible with vulnerable versions of GlobalProtect.

You can find additional information for PAN-204689 here: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-0-known-and-addressed-issues/pan-os-11-1-0-known-issues

Prisma Access customers can open a support case to request an upgrade.

Workarounds and Mitigations

Change the following two settings (if enabled) to "Allow with Ticket":

* Network > GlobalProtect > Portals > <portal-config> > Agent > <agent-config> > App > Allow User to Disable GlobalProtect App

* Network > GlobalProtect > Portals > <portal-config> > Agent > <agent-config> > App > Allow user to disconnect GlobalProtect App

Change the following setting (if enabled) to "Disallow":

* Network > GlobalProtect > Portals > <portal-config> > Agent > <agent-config> > App > Allow User to Uninstall GlobalProtect App

Acknowledgments

Palo Alto Networks thanks Claudiu Pancotan for discovering and reporting this issue.

Timeline

Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.