{"uuid": "97da5012-2204-4022-9d84-091ea22d3e0d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "name": "Researchers have discovered vulnerabilities in the update process of Palo Alto Networks (CVE-2024-5921) and SonicWall (CVE-2024-29014)", "description": "# CVE-2024-5921\n\nCVE-2024-5921 affects various versions of Palo Alto\u2019s GlobalProtect App on Windows, macOS and Linux, and stems from insufficient certification validation.\n\nIt enables attackers to connect the GlobalProtect app to arbitrary servers, the company confirmed, and noted that this may result in attackers installing malicious root certificates on the endpoint and subsequently installing malicious software signed by these certificates.\n\n\u201cBoth the Windows and macOS versions of the GlobalProtect VPN client are vulnerable to remote code execution (RCE) and privilege escalation via the automatic update mechanism. While the update process requires MSI files to be signed, attackers can exploit the PanGPS service to install a maliciously trusted root certificate, enabling RCE and privilege escalation. The updates are executed with the privilege level of the service component (SYSTEM on Windows and root on macOS),\u201d AmberWolf researchers Richard Warren and David Cash explained.\n\n\u201cBy default, users can specify arbitrary endpoints in the VPN client\u2019s UI component (PanGPA). This behaviour can be exploited in social engineering attacks, where attackers trick users into connecting to rogue VPN servers. These servers can capture login credentials and compromise systems through malicious client updates.\u201d\n\n\u201cThis issue is fixed in GlobalProtect app 6.2.6 and all later GlobalProtect app 6.2 versions on Windows,\u201d Palo Alto says. The company has also introduced an additional configuration parameter (FULLCHAINCERTVERIFY) that should be enabled to enforce stricter certificate validation against the system\u2019s trusted certificate store.\n\nThere are currently no fixes for macOS or Linux versions of the app, according to PAN\u2019s security advisory.\n\nThere is a workaround/mitigation available, though, and it consists of enabling FIPS-CC modefor the GlobalProtect app on the endpoints (and enabling FIPS-CC mode on the GlobalProtect portal/gateway).\n\nAmberWolf researchers say that host-based firewall rules can also be implemented to prevent users connecting to malicious VPN servers.\n\n# CVE-2024-29014\n\nCVE-2024-29014 affects SonicWall\u2019s NetExtender VPN client for Windows versions 10.2.339 and earlier, and allows attackers to execute code with SYSTEM privileges when an End Point Control (EPC) Client update is processed. The vulnerability stems from insufficient signature validation.\n\nThere are several exploitation scenarios that could lead to this. For example, a user can be tricked into connecting their NetExtender client to a malicious VPN server and install a fake (malicious) EPC Client update.\n\n\u201cWhen the SMA Connect Agent is installed, attackers can exploit a custom URI handler to force the NetExtender client to connect to their server. Users only need to visit a malicious website and accept a browser prompt, or open a malicious document for the attack to succeed,\u201d AmberWolf researchers explained another approach.\n\nSonicWall has patched the vulnerability earlier this year in NetExtender Windows (32 and 64 bit) 10.2.341 and later versions, and urged users to upgrade.\n\n\u201cIf an immediate upgrade is not feasible, consider using a client firewall to restrict access to known, legitimate VPN endpoints to prevent users from inadvertently connecting to malicious servers,\u201d AmberWolf advised.", "creation_timestamp": "2024-11-27T10:49:57.830562+00:00", "timestamp": "2024-11-27T10:49:57.830562+00:00", "related_vulnerabilities": ["CVE-2024-5921", "CVE-2024-29014"], "meta": [{"ref": "https://www.helpnetsecurity.com/2024/11/26/vulnerabilities-corporate-vpn-clients-cve-2024-5921-cve-2024-29014/"}], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}