Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Experts found critical RCE in Palo Alto Networks GlobalProtect Product

Security experts have discovered a critical remote code execution flaw in Palo Alto Networks GlobalProtect product, the flaw was quickly addressed. Last week, researchers Orange Tsai and Meh Chang published technical details of a critical remote code execution vulnerability that affects Palo Alto Networks’s GlobalProtect. The vulnerability, tracked as CVE-2019-1579, affects the GlobalProtect portal and […]

Palo Alto Networks GlobalProtect RCE

Security experts have discovered a critical remote code execution flaw in Palo Alto Networks GlobalProtect product, the flaw was quickly addressed.

Last week, researchers Orange Tsai and Meh Chang published technical details of a critical remote code execution vulnerability that affects Palo Alto Networks’s GlobalProtect.

The vulnerability, tracked as CVE-2019-1579, affects the GlobalProtect portal and GlobalProtect Gateway interface products. An unauthenticated attacker can exploit the flaw to remotely execute arbitrary code.

GlobalProtect products allow organizations to set up a virtual private network (VPN) access, they also implement other security and management features.

“Palo Alto Networks is aware of the reported remote code execution (RCE) vulnerability in its GlobalProtect portal and GlobalProtect Gateway interface products. The issue is already addressed in prior maintenance releases. (Ref: CVE-2019-1579)” reads the security advisory published by Palo Alto Networks.

Palo Alto Networks GlobalProtect RCE

The researchers also published the PoC code for the vulnerability and described how to determine is an install is vulnerable by using a simple command.

Affected products are PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11 and earlier, and PAN-OS 8.1.2 and earlier releases. PAN-OS 9.0 is not affected.

Palo Alto Networks addressed the flaw with the release of PAN-OS versions 7.1.19, 8.0.12 and 8.1.3. Earlier versions are impacted.

n this article, we would like to talk about the vulnerability on Palo Alto SSL VPN. Palo Alto calls their SSL VPN product line as GlobalProtect. You can easily identify the GlobalPortect service via the 302 redirection to /global-protect/login.esp on web root!” wrote the researchers.

“About the vulnerability, we accidentally discovered it during our Red Team assessment services.” “The bug is very straightforward. It is just a simple format string vulnerability with no authentication required!”

According to experts at Tenable that analyzed the CVE-2019-1579 flaw, the issue exists because the gateway doesn’t sanitize the value of a particular parameter passed to snprintf.

“More specifically, the vulnerability exists because the gateway passes the value of a particular parameter to snprintf in an unsanitized, and exploitable, fashion. An unauthenticated attacker could exploit the vulnerability by sending a specially crafted request to a vulnerable SSL VPN target in order to remotely execute code on the system,” reads the analysis published by Tenable.

Orange Tsai and Meh Chang reported the flaw to Palo Alto Networks, the company acknowledged the flaw but informed them that its experts have already discovered the vulnerability and released a patch.

The security duo searched for major organizations using vulnerable versions of GlobalProtect and discovered that Uber is one of them. Uber, in fact, runs 22 servers that implement VPN access to the company.

“After we awared this is not a 0day, we surveyed all Palo Alto SSL VPN over the world to see if there is any large corporations using the vulnerable GlobalProtect, and Uber is one of them! From our survey, Uber owns about 22 servers running the GlobalProtect around the world, here we take vpn.awscorp.uberinternal.com as an example!” added the experts.

Uber confirmed the discovery but explained that the exploitation of the flaw would have had limited impact because most of its employees use different VPN access. It also explained that Palo Alto Networks’ VPN was actually hosted on Amazon AWS.

“During our internal investigation, we found that the Palo Alto SSL VPN is not the same as the primary VPN which is used by the majority of our employees.” Uber replied.

“Additionally, we hosted the Palo Alto SSL VPN in AWS as opposed to our core infrastructure; as such, this would not have been able to access any of our internal infrastructure or core services. For these reasons, we determined that while it was an unauthenticated RCE, the overall impact and positional advantage of this was low. Thanks again for an awesome report!”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Palo Alto Networks, GlobalProtect)

[adrotate banner=”5″]

[adrotate banner=”13″]