Palo Alto certification validation Flaw Let Attackers Escalate Privilege

A significant security vulnerability has been discovered in Palo Alto Networks’ GlobalProtect app, potentially allowing attackers to escalate privileges on affected systems.

The flaw, which stems from insufficient certification validation, enables malicious actors to connect the GlobalProtect app to arbitrary servers, potentially installing malicious root certificates and software on endpoints.

The vulnerability affects multiple versions of the GlobalProtect app, including:

• All versions of GlobalProtect App 6.3, 6.1, 6.0, and 5.1
• GlobalProtect App 6.2 versions below 6.2.6 on Windows
• All versions of GlobalProtect App 6.2 on macOS and Linux
• All versions of GlobalProtect UWP App on Windows

The severity of this vulnerability is classified as MEDIUM, with a suggested urgency of MODERATE. The Common Vulnerability Scoring System (CVSS) rates it at 5.6 (Base Temporal) and 6.8 (Base).

While Palo Alto Networks has stated that they are not aware of any malicious exploitation of this issue, the potential impact remains significant.

The vulnerability is categorized under CWE-295 (Improper Certificate Validation) and CAPEC-233 (Privilege Escalation), highlighting the risk of unauthorized access and system compromise.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Palo Alto Networks has addressed this issue in GlobalProtect app version 6.2.6 and later versions on Windows. Users are strongly advised to update their software to the latest version to mitigate the risk.

A workaround is available for those unable to update immediately by using the GlobalProtect app in FIPS-CC mode. This command ensures full chain certificate verification and specifies the certificate store and location for validation.

msiexec.exe /i GlobalProtect64.msi FULLCHAINCERTVERIFY="yes" CERTSTORE="machine" CERTLOCATION="ROOT"

This vulnerability underscores the ongoing challenges in cybersecurity, particularly in widely used enterprise software. It serves as a reminder of the importance of regular security audits and prompt patching of identified vulnerabilities.

The discovery of this flaw comes at a time when cybersecurity concerns are at an all-time high, with recent reports from CERT-IN warning about other critical vulnerabilities in Palo Alto Networks applications.

These incidents highlight the need for organizations to remain vigilant and proactive in their security measures.

As the cybersecurity landscape continues to evolve, both vendors and users must prioritize security updates and maintain robust defense mechanisms against potential threats.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.