Palo Alto GlobalProtect App up to 5.0.9/5.1.3 Pre-Login certificate validation

Summaryinfo

A vulnerability was found in Palo Alto GlobalProtect App up to 5.0.9/5.1.3. It has been classified as critical. This vulnerability affects unknown code of the component Pre-Login Handler. This manipulation causes certificate validation. This vulnerability is handled as CVE-2020-2033. The attack can only be done within the local network. There is not any exploit available. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability classified as problematic was found in Palo Alto GlobalProtect App up to 5.0.9/5.1.3. Affected by this vulnerability is an unknown code block of the component Pre-Login Handler. The manipulation with an unknown input leads to a certificate validation vulnerability. The CWE definition for the vulnerability is CWE-295. The product does not validate, or incorrectly validates, a certificate. As an impact it is known to affect confidentiality. The summary by CVE is:

When the pre-logon feature is enabled, a missing certification validation in Palo Alto Networks GlobalProtect app can disclose the pre-logon authentication cookie to a man-in-the-middle attacker on the same local area network segment with the ability to manipulate ARP or to conduct ARP spoofing attacks. This allows the attacker to access the GlobalProtect Server as allowed by configured Security rules for the 'pre-login' user. This access may be limited compared to the network access of regular users. This issue affects: GlobalProtect app 5.0 versions earlier than GlobalProtect app 5.0.10 when the prelogon feature is enabled; GlobalProtect app 5.1 versions earlier than GlobalProtect app 5.1.4 when the prelogon feature is enabled.

The weakness was released 06/10/2020. This vulnerability is known as CVE-2020-2033 since 12/04/2019. The exploitation appears to be difficult. Access to the local network is required for this attack. The exploitation doesn't need any form of authentication. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1587.003 according to MITRE ATT&CK.

Upgrading to version 5.0.10 or 5.1.4 eliminates this vulnerability.

Entry connected to this vulnerability is available at VDB-156510. Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Vendor

• Palo Alto

Name

• GlobalProtect App

Version

• 5.0.0
• 5.0.1
• 5.0.2
• 5.0.3
• 5.0.4
• 5.0.5
• 5.0.6
• 5.0.7
• 5.0.8
• 5.0.9
• 5.1.0
• 5.1.1
• 5.1.2
• 5.1.3

License

• commercial

Website

• Vendor: https://www.paloaltonetworks.com/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion