CVE-2020-2004

Name of the Vulnerable Software and Affected Versions GlobalProtect app versions prior to 5.0.9 GlobalProtect app versions prior to 5.1.2 on Windows or MacOS

Description The issue is related to the disclosure of information through log files. Under certain circumstances, a user's password may be logged in cleartext in the PanGPS.log diagnostic file when logs are collected for troubleshooting on the GlobalProtect app for MacOS and Windows. This occurs when the 'Save User Credential' option is set to 'Yes' in the GlobalProtect Portal's Agent configuration, the user manually selects a gateway, and the logging level is set to 'Dump' while collecting troubleshooting logs. The issue does not affect the GlobalProtect app on other platforms, such as iOS, Android, or Linux. Palo Alto Networks has safely deleted all known GlobalProtectLogs zip files sent by customers with the credentials and now filters and removes these credentials from all files sent to Customer Support.

Recommendations For GlobalProtect app versions prior to 5.0.9, update to version 5.0.9 or later to resolve the issue. For GlobalProtect app versions prior to 5.1.2 on Windows or MacOS, update to version 5.1.2 or later to resolve the issue. As a temporary workaround, consider setting the 'Save User Credential' option to 'No' in the GlobalProtect Portal's Agent configuration to minimize the risk of password exposure. Restrict access to the PanGPS.log diagnostic file to minimize the risk of exploitation.