Pierluigi Paganini July 22, 2019

Security experts have discovered a critical remote code execution flaw in Palo Alto Networks GlobalProtect product, the flaw was quickly addressed.

Last week, researchers Orange Tsai and Meh Chang published technical details of a critical remote code execution vulnerability that affects Palo Alto Networks’s GlobalProtect.

The vulnerability, tracked as CVE-2019-1579, affects the GlobalProtect portal and GlobalProtect Gateway interface products. An unauthenticated attacker can exploit the flaw to remotely execute arbitrary code.

GlobalProtect products allow organizations to set up a virtual private network (VPN) access, they also implement other security and management features.

“Palo Alto Networks is aware of the reported remote code execution (RCE) vulnerability in its GlobalProtect portal and GlobalProtect Gateway interface products. The issue is already addressed in prior maintenance releases. (Ref: CVE-2019-1579)” reads the security advisory published by Palo Alto Networks.

The researchers also published the PoC code for the vulnerability and described how to determine is an install is vulnerable by using a simple command.

Affected products are PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11 and earlier, and PAN-OS 8.1.2 and earlier releases. PAN-OS 9.0 is not affected.

Palo Alto Networks addressed the flaw with the release of PAN-OS versions 7.1.19, 8.0.12 and 8.1.3. Earlier versions are impacted.

“n this article, we would like to talk about the vulnerability on Palo Alto SSL VPN. Palo Alto calls their SSL VPN product line as GlobalProtect. You can easily identify the GlobalPortect service via the 302 redirection to /global-protect/login.esp on web root!” wrote the researchers.

“About the vulnerability, we accidentally discovered it during our Red Team assessment services.” “The bug is very straightforward. It is just a simple format string vulnerability with no authentication required!”

According to experts at Tenable that analyzed the CVE-2019-1579 flaw, the issue exists because the gateway doesn’t sanitize the value of a particular parameter passed to snprintf.

“More specifically, the vulnerability exists because the gateway passes the value of a particular parameter to snprintf in an unsanitized, and exploitable, fashion. An unauthenticated attacker could exploit the vulnerability by sending a specially crafted request to a vulnerable SSL VPN target in order to remotely execute code on the system,” reads the analysis published by Tenable.

Orange Tsai and Meh Chang reported the flaw to Palo Alto Networks, the company acknowledged the flaw but informed them that its experts have already discovered the vulnerability and released a patch.

The security duo searched for major organizations using vulnerable versions of GlobalProtect and discovered that Uber is one of them. Uber, in fact, runs 22 servers that implement VPN access to the company.

“After we awared this is not a 0day, we surveyed all Palo Alto SSL VPN over the world to see if there is any large corporations using the vulnerable GlobalProtect, and Uber is one of them! From our survey, Uber owns about 22 servers running the GlobalProtect around the world, here we take vpn.awscorp.uberinternal.com as an example!” added the experts.

Uber confirmed the discovery but explained that the exploitation of the flaw would have had limited impact because most of its employees use different VPN access. It also explained that Palo Alto Networks’ VPN was actually hosted on Amazon AWS.

“During our internal investigation, we found that the Palo Alto SSL VPN is not the same as the primary VPN which is used by the majority of our employees.” Uber replied.

“Additionally, we hosted the Palo Alto SSL VPN in AWS as opposed to our core infrastructure; as such, this would not have been able to access any of our internal infrastructure or core services. For these reasons, we determined that while it was an unauthenticated RCE, the overall impact and positional advantage of this was low. Thanks again for an awesome report!”

Pierluigi Paganini

(SecurityAffairs – Palo Alto Networks, GlobalProtect)

[adrotate banner=”5″]

[adrotate banner=”13″]