Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2022 GlobalProtect App vulnerabilities 11 June 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: GlobalProtect App Publisher: Palo Alto Operating System: Windows Impact/Access: Increased Privileges -- Existing Account Provide Misleading Information -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-2033 CVE-2020-2032 Original Bulletin: https://securityadvisories.paloaltonetworks.com/CVE-2020-2032 https://securityadvisories.paloaltonetworks.com/CVE-2020-2033 Comment: This bulletin contains two (2) Palo Alto security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Palo Alto Networks Security Advisories / CVE-2020-2032 CVE-2020-2032 GlobalProtect App: File race condition vulnerability leads to local privilege escalation during upgrade 047910 Severity 7 . HIGH Attack Vector LOCAL Attack Complexity HIGH Privileges Required LOW User Interaction NONE Scope UNCHANGED Confidentiality Impact HIGH Integrity Impact HIGH Availability Impact HIGH NVD JSON Published: 2020-06-10 Updated: 2020-06-10 Ref#: GPC-10583 Description A race condition vulnerability Palo Alto Networks GlobalProtect app on Windows allows a local limited Windows user to execute programs with SYSTEM privileges. This issue can be exploited only while performing a GlobalProtect app upgrade. This issue affects: GlobalProtect app 5.0 versions earlier than GlobalProtect app 5.0.10 on Windows; GlobalProtect app 5.1 versions earlier than GlobalProtect app 5.1.4 on Windows. Product Status GlobalProtect App Versions Affected Unaffected 5.1 < 5.1.4 on Windows >= 5.1.4 on Windows 5.0 < 5.0.10 on Windows >= 5.0.10 on Windows Severity: HIGH CVSSv3.1 Base Score: 7 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) Weakness Type CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition Solution This issue is fixed in GlobalProtect app 5.0.10, GlobalProtect app 5.1.4, and all later GlobalProtect app versions. Workarounds and Mitigations Acknowledgements Palo Alto Networks thanks Rich Mirch of TeamARES from Critical Start Inc for discovering and reporting this issue. Timeline 2020-06-10 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. - -------------------------------------------------------------------------------- Palo Alto Networks Security Advisories / CVE-2020-2033 CVE-2020-2033 GlobalProtect App: Missing certificate validation vulnerability can disclose pre-logon authentication cookie 047910 Severity 5.3 . MEDIUM Attack Vector ADJACENT_NETWORK Attack Complexity HIGH Privileges Required NONE User Interaction NONE Scope UNCHANGED Confidentiality Impact HIGH Integrity Impact NONE Availability Impact NONE NVD JSON Published: 2020-06-10 Updated: 2020-06-10 Ref#: GPC-10741 Description When the pre-logon feature is enabled, a missing certification validation in Palo Alto Networks GlobalProtect app can disclose the pre-logon authentication cookie to a man-in-the-middle attacker on the same local area network segment with the ability to manipulate ARP or to conduct ARP spoofing attacks. This allows the attacker to access the GlobalProtect Server as allowed by configured Security rules for the 'pre-login' user. This access may be limited compared to the network access of regular users. This issue affects: GlobalProtect app 5.0 versions earlier than GlobalProtect app 5.0.10 when the prelogon feature is enabled; GlobalProtect app 5.1 versions earlier than GlobalProtect app 5.1.4 when the prelogon feature is enabled. Product Status GlobalProtect App Versions Affected Unaffected 5.1 < 5.1.4 >= 5.1.4 5.0 < 5.0.10 >= 5.0.10 Severity: MEDIUM CVSSv3.1 Base Score: 5.3 (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) Weakness Type CWE-290 Authentication Bypass by Spoofing CWE-295 Improper Certificate Validation Solution This issue is fixed in GlobalProtect app 5.0.10, GlobalProtect app 5.1.4, and all later GlobalProtect app versions. Workarounds and Mitigations The impact of this vulnerability can be mitigated by decreasing the allowed timeout settings for the prelogon feature or by completely disabling the feature in the GlobalProtect gateway. Acknowledgements Palo Alto Networks thanks Tom Wyckhuys and Nabeel Ahmed from NTT Belgium for discovering and reporting this issue. Timeline 2020-06-10 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXuGLceNLKJtyKPYoAQh5HQ/+Jkv+KW/XVnnCXqpAKGPs2yLybaR9kfGZ o+ocgxgoMBLKogfSqN/v/5Db6Frfp4mX9ADYp1JuAXfR0p0G+kFksCWLfJ2Rw489 1T18pMY7cb9EE1RPrYauBnJzW3ClOs70r3p2DQoVUChTiHd5xwmAP7UvCTqpP6qi aUcRyEhERxQucJtTOGJ3kgzwv+Zu0tP0N1PyRNRQeO2BeDSyILrmVlFajXt9AIG4 APpKFee1VD+tzBIhZ8AYnLNPmvi3wySspMDOHJlpCI3gLkTKDUsMLe7jO7Na1AZC YeaIp9HnGtQEgvgxQJ389CkDEzZ6I8QYxfpoAd7JDrokldiqeyIMgkvHsDWEflV2 KofIimLBGKZp7+XeoRouPq/1Pt92QEzcg1f0230LqTKBUgXDSTJJdW/j43UFmfj2 Vwp8NUOlzGtexLclMJ9nZPWVKaNtA9py1ssH4JF7a4szamtuFXqBhal1ses2vaoB uk/GVJiYLO6t+2OdSc1l/UCJe2ACIfPD4uZ24aYhwBHrk1SqAZmiLjRY3EeMGbqa 0Deb+Uj+imKPr91mlM2vPae14InE4gDufyRVUaw28x7cBaXDkqpu0VSts200yP1A II+R+k3A5PLnUvZEg8d5bT14aoSZO2eH8i+hWV39Ha4Al7WDAMLsynRxr18E9VyE nnRGACk+n4o= =E0nN -----END PGP SIGNATURE-----