CVE-2024-9473 GlobalProtect App: Local Privilege Escalation (PE) Vulnerability
Description
A privilege escalation vulnerability in the Palo Alto Networks GlobalProtect app on Windows allows a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY/SYSTEM through the use of the repair functionality offered by the .msi file used to install GlobalProtect.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| GlobalProtect App 6.3 | < 6.3.1-c383 on Windows | >= 6.3.1-c383 on Windows |
| GlobalProtect App 6.2 | < 6.2.5 on Windows | >= 6.2.5 on Windows |
| GlobalProtect App 6.1 | < 6.1.4-c720 on Windows, = 6.1.5 on Windows | >= 6.1.4-c720 on Windows |
| GlobalProtect App 6.0 | < 6.0.10-c823 on Windows | >= 6.0.10-c823 on Windows |
| GlobalProtect App 5.1 | All on Windows | None on Windows |
Severity: MEDIUM
CVSSv4.0 Base Score: 5.2 (CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/AU:N/R:U/V:C/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue. However, a proof of concept for this issue is publicly available.
Weakness Type
CWE-250 Execution with Unnecessary Privileges
Solution
This issue is fixed in GlobalProtect app 6.0.10-c823, GlobalProtect app 6.1.4-c720, GlobalProtect app 6.2.5, GlobalProtect app 6.3.1-c383, and will be fixed in the remaining supported versions of GlobalProtect app listed in the Product Status section. Updates will be published to this advisory as they become available.
Customers who want to upgrade should reach out to customer support at https://support.paloaltonetworks.com.
Workarounds and Mitigations
Update the Windows registry on endpoints with an affected version of GlobalProtect to disable all MSI installations (not just GlobalProtect installations). This change is system-wide, so it will affect all users of the system including administrators. The following command will update the registry on an endpoint to disable the repair functionality of any MSI file. It will also prevent using MSI files to install, re-install, or uninstall software. This command must be run with administrative privileges.
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" /v DisableMSI /t REG_DWORD /d 2 /fBe aware that this will fully prevent use of all MSI files, thereby blocking common IT operations such as software deployments typically done by endpoint management solutions that use MSI files to perform the installations. Use caution before updating this value in the registry. After setting DisableMSI to 2, this value will need to be either deleted or changed to another value in order to use any MSI files. For more information, please see https://learn.microsoft.com/en-us/windows/win32/msi/disablemsi.
Acknowledgments
CPEs
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.1:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.0:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.4:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.3:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.2:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.1:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.0:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.1.5:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.1.4:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.1.3:-:*:*:*:*:*:*