CVE-2024-5921

Name of the Vulnerable Software and Affected Versions Palo Alto Networks GlobalProtect (affected versions not specified)

Description The issue is related to an insufficient certification validation in the GlobalProtect app, allowing attackers to connect the app to arbitrary servers. This can enable a local non-administrative operating system user or an attacker on the same subnet to install malicious root certificates on the endpoint and subsequently install malicious software signed by the malicious root certificates on that endpoint. Over 1.4 million results are found to be potentially affected. The vulnerability can be exploited to achieve remote code execution and privilege escalation.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. However, it is recommended to update to version 6.2.6 and make the required registry changes, including setting "cert-store" to "machine", "cert-location" to "ROOT", and "full-chain-cert-verify" to "yes". Additionally, ensure the full cert chain is installed in the root cert directory. If issues persist, consider temporarily disabling the vulnerable component or restricting access to the affected API endpoints until a patch is available. Note that using an ECC cert with GP 6.2.6 in FIPS-CC mode may result in "Non compliant FIPS-CC mode certificate" errors. As a workaround, using a GoDaddy or ssl dot com cert may resolve OCSP/CRL issues.