cve-2022-0018
Vulnerability from cvelistv5
Published
2022-02-10 18:10
Modified
2024-09-16 23:36
Severity ?
EPSS score ?
Summary
An information exposure vulnerability exists in the Palo Alto Networks GlobalProtect app on Windows and MacOS where the credentials of the local user account are sent to the GlobalProtect portal when the Single Sign-On feature is enabled in the GlobalProtect portal configuration. This product behavior is intentional and poses no security risk when connecting to trusted GlobalProtect portals configured to use the same Single Sign-On credentials both for the local user account as well as the GlobalProtect login. However when the credentials are different, the local account credentials are inadvertently sent to the GlobalProtect portal for authentication. A third party MITM type of attacker cannot see these credentials in transit. This vulnerability is a concern where the GlobalProtect app is deployed on Bring-your-Own-Device (BYOD) type of clients with private local user accounts or GlobalProtect app is used to connect to different organizations. Fixed versions of GlobalProtect app have an app setting to prevent the transmission of the user's local user credentials to the target GlobalProtect portal regardless of the portal configuration. This issue impacts: GlobalProtect app 5.1 versions earlier than GlobalProtect app 5.1.10 on Windows and MacOS; GlobalProtect app 5.2 versions earlier than GlobalProtect app 5.2.9 on Windows and MacOS This issue does not affect GlobalProtect app on other platforms.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@paloaltonetworks.com | https://security.paloaltonetworks.com/CVE-2022-0018 | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.paloaltonetworks.com/CVE-2022-0018 | Mitigation, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Palo Alto Networks | GlobalProtect App |
Version: 5.2 < 5.2.9 Version: 5.1 < 5.1.10 |
||||||
|
|||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T23:18:41.280Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://security.paloaltonetworks.com/CVE-2022-0018", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { platforms: [ "Windows and MacOS", ], product: "GlobalProtect App", vendor: "Palo Alto Networks", versions: [ { changes: [ { at: "5.2.9", status: "unaffected", }, ], lessThan: "5.2.9", status: "affected", version: "5.2", versionType: "custom", }, { changes: [ { at: "5.1.10", status: "unaffected", }, ], lessThan: "5.1.10", status: "affected", version: "5.1", versionType: "custom", }, ], }, { product: "GlobalProtect App", vendor: "Palo Alto Networks", versions: [ { status: "unaffected", version: "5.3.*", }, ], }, ], credits: [ { lang: "en", value: "Palo Alto Networks thanks Irina Belyaeva of Jet Infosystems for discovering and reporting this issue.", }, ], datePublic: "2022-02-09T00:00:00", descriptions: [ { lang: "en", value: "An information exposure vulnerability exists in the Palo Alto Networks GlobalProtect app on Windows and MacOS where the credentials of the local user account are sent to the GlobalProtect portal when the Single Sign-On feature is enabled in the GlobalProtect portal configuration. This product behavior is intentional and poses no security risk when connecting to trusted GlobalProtect portals configured to use the same Single Sign-On credentials both for the local user account as well as the GlobalProtect login. However when the credentials are different, the local account credentials are inadvertently sent to the GlobalProtect portal for authentication. A third party MITM type of attacker cannot see these credentials in transit. This vulnerability is a concern where the GlobalProtect app is deployed on Bring-your-Own-Device (BYOD) type of clients with private local user accounts or GlobalProtect app is used to connect to different organizations. Fixed versions of GlobalProtect app have an app setting to prevent the transmission of the user's local user credentials to the target GlobalProtect portal regardless of the portal configuration. This issue impacts: GlobalProtect app 5.1 versions earlier than GlobalProtect app 5.1.10 on Windows and MacOS; GlobalProtect app 5.2 versions earlier than GlobalProtect app 5.2.9 on Windows and MacOS This issue does not affect GlobalProtect app on other platforms.", }, ], exploits: [ { lang: "en", value: "Palo Alto Networks is not aware of any malicious exploitation of this issue.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-201", description: "CWE-201 Information Exposure Through Sent Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-02-10T18:10:20", orgId: "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", shortName: "palo_alto", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://security.paloaltonetworks.com/CVE-2022-0018", }, ], solutions: [ { lang: "en", value: "This issue is fixed in GlobalProtect app 5.1.10 on Windows and MacOS, GlobalProtect app 5.2.9 on Windows and MacOS, and all later GlobalProtect app versions with the ‘force-disable-sso’ app setting.\n\nSet ‘force-disable-sso’ to ‘yes’ to prevent unintended transmission of the local user credentials as described here:\nhttps://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-apps/deploy-app-settings-transparently/customizable-app-settings/app-behavior-options.html", }, ], source: { defect: [ "GPC-14203", ], discovery: "EXTERNAL", }, timeline: [ { lang: "en", time: "2022-02-09T00:00:00", value: "Initial publication", }, ], title: "GlobalProtect App: Information Exposure Vulnerability When Connecting to GlobalProtect Portal With Single Sign-On Enabled", workarounds: [ { lang: "en", value: "There are no known workarounds for this issue.", }, ], x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "psirt@paloaltonetworks.com", DATE_PUBLIC: "2022-02-09T17:00:00.000Z", ID: "CVE-2022-0018", STATE: "PUBLIC", TITLE: "GlobalProtect App: Information Exposure Vulnerability When Connecting to GlobalProtect Portal With Single Sign-On Enabled", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "GlobalProtect App", version: { version_data: [ { platform: "Windows and MacOS", version_affected: "<", version_name: "5.2", version_value: "5.2.9", }, { platform: "Windows and MacOS", version_affected: "!>=", version_name: "5.2", version_value: "5.2.9", }, { platform: "Windows and MacOS", version_affected: "<", version_name: "5.1", version_value: "5.1.10", }, { platform: "Windows and MacOS", version_affected: "!>=", version_name: "5.1", version_value: "5.1.10", }, { version_affected: "!", version_name: "5.3", version_value: "5.3.*", }, ], }, }, ], }, vendor_name: "Palo Alto Networks", }, ], }, }, credit: [ { lang: "eng", value: "Palo Alto Networks thanks Irina Belyaeva of Jet Infosystems for discovering and reporting this issue.", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "An information exposure vulnerability exists in the Palo Alto Networks GlobalProtect app on Windows and MacOS where the credentials of the local user account are sent to the GlobalProtect portal when the Single Sign-On feature is enabled in the GlobalProtect portal configuration. This product behavior is intentional and poses no security risk when connecting to trusted GlobalProtect portals configured to use the same Single Sign-On credentials both for the local user account as well as the GlobalProtect login. However when the credentials are different, the local account credentials are inadvertently sent to the GlobalProtect portal for authentication. A third party MITM type of attacker cannot see these credentials in transit. This vulnerability is a concern where the GlobalProtect app is deployed on Bring-your-Own-Device (BYOD) type of clients with private local user accounts or GlobalProtect app is used to connect to different organizations. Fixed versions of GlobalProtect app have an app setting to prevent the transmission of the user's local user credentials to the target GlobalProtect portal regardless of the portal configuration. This issue impacts: GlobalProtect app 5.1 versions earlier than GlobalProtect app 5.1.10 on Windows and MacOS; GlobalProtect app 5.2 versions earlier than GlobalProtect app 5.2.9 on Windows and MacOS This issue does not affect GlobalProtect app on other platforms.", }, ], }, exploit: [ { lang: "en", value: "Palo Alto Networks is not aware of any malicious exploitation of this issue.", }, ], generator: { engine: "Vulnogram 0.0.9", }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-201 Information Exposure Through Sent Data", }, ], }, ], }, references: { reference_data: [ { name: "https://security.paloaltonetworks.com/CVE-2022-0018", refsource: "MISC", url: "https://security.paloaltonetworks.com/CVE-2022-0018", }, ], }, solution: [ { lang: "en", value: "This issue is fixed in GlobalProtect app 5.1.10 on Windows and MacOS, GlobalProtect app 5.2.9 on Windows and MacOS, and all later GlobalProtect app versions with the ‘force-disable-sso’ app setting.\n\nSet ‘force-disable-sso’ to ‘yes’ to prevent unintended transmission of the local user credentials as described here:\nhttps://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-apps/deploy-app-settings-transparently/customizable-app-settings/app-behavior-options.html", }, ], source: { defect: [ "GPC-14203", ], discovery: "EXTERNAL", }, timeline: [ { lang: "en", time: "2022-02-09T00:00:00", value: "Initial publication", }, ], work_around: [ { lang: "en", value: "There are no known workarounds for this issue.", }, ], x_advisoryEoL: true, x_affectedList: [ "GlobalProtect App 5.2.8", "GlobalProtect App 5.2.7", "GlobalProtect App 5.2.6", "GlobalProtect App 5.2.5", "GlobalProtect App 5.2.4", "GlobalProtect App 5.2.3", "GlobalProtect App 5.2.2", "GlobalProtect App 5.2.1", "GlobalProtect App 5.2.0", "GlobalProtect App 5.2", "GlobalProtect App 5.1.9", "GlobalProtect App 5.1.8", "GlobalProtect App 5.1.7", "GlobalProtect App 5.1.6", "GlobalProtect App 5.1.5", "GlobalProtect App 5.1.4", "GlobalProtect App 5.1.3", "GlobalProtect App 5.1.1", "GlobalProtect App 5.1.0", "GlobalProtect App 5.1", ], x_likelyAffectedList: [ "GlobalProtect App 5.0.10", "GlobalProtect App 5.0.9", "GlobalProtect App 5.0.8", "GlobalProtect App 5.0.7", "GlobalProtect App 5.0.6", "GlobalProtect App 5.0.5", "GlobalProtect App 5.0.4", "GlobalProtect App 5.0.3", "GlobalProtect App 5.0.2", "GlobalProtect App 5.0.1", "GlobalProtect App 5.0.0", "GlobalProtect App 5.0", "GlobalProtect App 4.1.13", "GlobalProtect App 4.1.12", "GlobalProtect App 4.1.11", "GlobalProtect App 4.1.10", "GlobalProtect App 4.1.9", "GlobalProtect App 4.1.8", "GlobalProtect App 4.1.7", "GlobalProtect App 4.1.6", "GlobalProtect App 4.1.5", "GlobalProtect App 4.1.4", "GlobalProtect App 4.1.3", "GlobalProtect App 4.1.2", "GlobalProtect App 4.1.1", "GlobalProtect App 4.1.0", "GlobalProtect App 4.1", "GlobalProtect App 4.0.8", "GlobalProtect App 4.0.7", "GlobalProtect App 4.0.6", "GlobalProtect App 4.0.5", "GlobalProtect App 4.0.4", "GlobalProtect App 4.0.3", "GlobalProtect App 4.0.2", "GlobalProtect App 4.0.0", "GlobalProtect App 4.0", "GlobalProtect App 3.1.6", "GlobalProtect App 3.1.5", "GlobalProtect App 3.1.4", "GlobalProtect App 3.1.3", "GlobalProtect App 3.1.1", "GlobalProtect App 3.1.0", "GlobalProtect App 3.1", "GlobalProtect App 3.0.3", "GlobalProtect App 3.0.2", "GlobalProtect App 3.0.1", "GlobalProtect App 3.0.0", "GlobalProtect App 3.0", "GlobalProtect App 2.3.5", "GlobalProtect App 2.3.4", "GlobalProtect App 2.3.3", "GlobalProtect App 2.3.2", "GlobalProtect App 2.3.1", "GlobalProtect App 2.3.0", "GlobalProtect App 2.3", "GlobalProtect App 2.2.2", "GlobalProtect App 2.2.1", "GlobalProtect App 2.2.0", "GlobalProtect App 2.2", "GlobalProtect App 2.1.4", "GlobalProtect App 2.1.3", "GlobalProtect App 2.1.2", "GlobalProtect App 2.1.1", "GlobalProtect App 2.1.0", "GlobalProtect App 2.1", "GlobalProtect App 2.0.5", "GlobalProtect App 2.0.4", "GlobalProtect App 2.0.3", "GlobalProtect App 2.0.2", "GlobalProtect App 2.0.1", "GlobalProtect App 2.0.0", "GlobalProtect App 2.0", "GlobalProtect App 1.2.11", "GlobalProtect App 1.2.10", "GlobalProtect App 1.2.9", "GlobalProtect App 1.2.8", "GlobalProtect App 1.2.7", "GlobalProtect App 1.2.6", "GlobalProtect App 1.2.5", "GlobalProtect App 1.2.4", "GlobalProtect App 1.2.3", "GlobalProtect App 1.2.2", "GlobalProtect App 1.2.1", "GlobalProtect App 1.2.0", "GlobalProtect App 1.2", "GlobalProtect App 1.1.8", "GlobalProtect App 1.1.7", "GlobalProtect App 1.1.6", "GlobalProtect App 1.1.5", "GlobalProtect App 1.1.4", "GlobalProtect App 1.1.3", "GlobalProtect App 1.1.2", "GlobalProtect App 1.1.1", "GlobalProtect App 1.1.0", "GlobalProtect App 1.1", "GlobalProtect App 1.0.8", "GlobalProtect App 1.0.7", "GlobalProtect App 1.0.5", "GlobalProtect App 1.0.3", "GlobalProtect App 1.0.1", "GlobalProtect App 1.0", ], }, }, }, cveMetadata: { assignerOrgId: "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", assignerShortName: "palo_alto", cveId: "CVE-2022-0018", datePublished: "2022-02-10T18:10:20.308594Z", dateReserved: "2021-12-28T00:00:00", dateUpdated: "2024-09-16T23:36:47.780Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { nvd: "{\"cve\":{\"id\":\"CVE-2022-0018\",\"sourceIdentifier\":\"psirt@paloaltonetworks.com\",\"published\":\"2022-02-10T18:15:08.627\",\"lastModified\":\"2024-11-21T06:37:49.727\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An information exposure vulnerability exists in the Palo Alto Networks GlobalProtect app on Windows and MacOS where the credentials of the local user account are sent to the GlobalProtect portal when the Single Sign-On feature is enabled in the GlobalProtect portal configuration. This product behavior is intentional and poses no security risk when connecting to trusted GlobalProtect portals configured to use the same Single Sign-On credentials both for the local user account as well as the GlobalProtect login. However when the credentials are different, the local account credentials are inadvertently sent to the GlobalProtect portal for authentication. A third party MITM type of attacker cannot see these credentials in transit. This vulnerability is a concern where the GlobalProtect app is deployed on Bring-your-Own-Device (BYOD) type of clients with private local user accounts or GlobalProtect app is used to connect to different organizations. Fixed versions of GlobalProtect app have an app setting to prevent the transmission of the user's local user credentials to the target GlobalProtect portal regardless of the portal configuration. This issue impacts: GlobalProtect app 5.1 versions earlier than GlobalProtect app 5.1.10 on Windows and MacOS; GlobalProtect app 5.2 versions earlier than GlobalProtect app 5.2.9 on Windows and MacOS This issue does not affect GlobalProtect app on other platforms.\"},{\"lang\":\"es\",\"value\":\"Se presenta una vulnerabilidad de exposición de información en GlobalProtect app de Palo Alto Networks en Windows y MacOS en la que las credenciales de la cuenta de usuario local son enviadas al portal de GlobalProtect cuando la función de inicio de sesión único está habilitada en la configuración del portal de GlobalProtect. Este comportamiento del producto es intencionado y no supone ningún riesgo de seguridad cuando es conectado a portales de GlobalProtect confiables configurados para usar las mismas credenciales de inicio de sesión único tanto para la cuenta de usuario local como para el inicio de sesión de GlobalProtect. Sin embargo, cuando las credenciales son diferentes, las credenciales de la cuenta local son enviadas inadvertidamente al portal de GlobalProtect para la autenticación. Un atacante de tipo MITM de terceros no puede visualizar estas credenciales en tránsito. Esta vulnerabilidad es un problema cuando GlobalProtect app es implementada en clientes del tipo Bring-your-Own-Device (BYOD) con cuentas de usuario locales privadas o GlobalProtect app es usada para conectarse a diferentes organizaciones. Las versiones corregidas de GlobalProtect app presentan una configuración de la aplicación para evitar la transmisión de las credenciales de usuario locales del usuario al portal GlobalProtect de destino, independientemente de la configuración del portal. Este problema afecta: GlobalProtect app versiones 5.1 versiones anteriores a GlobalProtect app 5.1.10 en Windows y MacOS; GlobalProtect app 5.2 versiones anteriores a GlobalProtect app 5.2.9 en Windows y MacOS Este problema no afecta a GlobalProtect app en otras plataformas\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@paloaltonetworks.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":4.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:H/Au:N/C:P/I:N/A:N\",\"baseScore\":2.6,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"HIGH\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":4.9,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"psirt@paloaltonetworks.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-201\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.1\",\"versionEndExcluding\":\"5.1.10\",\"matchCriteriaId\":\"E84FC1F6-58F6-4C67-A8E9-93233865C080\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.2\",\"versionEndExcluding\":\"5.2.9\",\"matchCriteriaId\":\"84B6241D-4456-4DC4-9767-3E608BCA0972\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"387021A0-AF36-463C-A605-32EA7DAC172E\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A2572D17-1DE6-457B-99CC-64AFD54487EA\"}]}]}],\"references\":[{\"url\":\"https://security.paloaltonetworks.com/CVE-2022-0018\",\"source\":\"psirt@paloaltonetworks.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://security.paloaltonetworks.com/CVE-2022-0018\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]}]}}", }, }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.