Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1276 Palo Alto Networks Security Advisories for GlobalProtect Agent 9 April 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: GlobalProtect Agent Publisher: Palo Alto Operating System: Windows Linux variants Impact/Access: Administrator Compromise -- Existing Account Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-1989 CVE-2020-1988 CVE-2020-1987 Original Bulletin: https://securityadvisories.paloaltonetworks.com/CVE-2020-1987 https://securityadvisories.paloaltonetworks.com/CVE-2020-1988 https://securityadvisories.paloaltonetworks.com/CVE-2020-1989 Comment: This bulletin contains three (3) Palo Alto security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Palo Alto Networks Security Advisories / CVE-2020-1987 CVE-2020-1987 GlobalProtect Agent: VPN cookie local information disclosure Severity 2.8 . LOW Attack Vector LOCAL Attack Complexity LOW Privileges Required LOW User Interaction REQUIRED Scope UNCHANGED Confidentiality Impact LOW Integrity Impact NONE Availability Impact NONE NVD JSON Published: 2020-04-08 Updated: 2020-04-08 Ref#: GPC-9393 Description An information exposure vulnerability in the logging component of Palo Alto Networks GlobalProtect Agent allows a local authenticated user to read VPN cookie information when the troubleshooting logging level is set to "Dump". This issue affects Palo Alto Networks GlobalProtect Agent 5.0 versions prior to 5.0.9; 5.1 versions prior to 5.1.1. Product Status GlobalProtect Agent Versions Affected Unaffected 5.0 < 5.0.9 >= 5.0.9 5.1 < 5.1.1 >= 5.1.1 Severity: LOW CVSSv3.1 Base Score: 2.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N) Solution This issue is fixed in GlobalProtect Agent 5.0.9, GlobalProtect Agent 5.1.1 and all later versions. Workarounds and Mitigations Acknowledgements Palo Alto Networks thanks Ahmet Hrnjadovic for discovering and reporting this issue. Timeline 2020-04-08 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. - -------------------------------------------------------------------------------- Palo Alto Networks Security Advisories / CVE-2020-1988 CVE-2020-1988 GlobalProtect Agent: Local privilege escalation due to an unquoted search path vulnerability Severity 4.2 . MEDIUM Attack Vector LOCAL Attack Complexity LOW Privileges Required HIGH User Interaction NONE Scope UNCHANGED Confidentiality Impact LOW Integrity Impact LOW Availability Impact LOW NVD JSON Published: 2020-04-08 Updated: 2020-04-08 Ref#: GPC-9320 Description An unquoted search path vulnerability in the Windows release of GlobalProtect Agent allows an authenticated local user with file creation privileges on the root of the OS disk (C:\) or to Program Files directory to gain system privileges. This issue affects Palo Alto Networks GlobalProtect Agent 5.0 versions before 5.0.5; 4.1 versions before 4.1.13 on Windows; Product Status GlobalProtect Agent Versions Affected Unaffected 5.0 < 5.0.5 on Windows >= 5.0.5 on Windows 4.1 < 4.1.13 on Windows >= 4.1.13 on Windows Required Configuration This issue only affects Windows systems where local users are configured with file creation privileges to the root of the OS disk (C:\) or 'Program Files' directory. Severity: MEDIUM CVSSv3.1 Base Score: 4.2 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L) Solution This issue is fixed in GlobalProtect Agent 5.0.5, GlobalProtect Agent 4.1.13 and all later versions. Workarounds and Mitigations Do not grant file creation privileges on the root of the OS disk (C:\) or 'Program Files' directory to unprivileged users. Acknowledgements Palo Alto Networks thanks Ratnesh Pandey of Bromium and Matthew Batten for discovering and reporting this issue. Timeline 2020-04-08 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. - -------------------------------------------------------------------------------- Palo Alto Networks Security Advisories / CVE-2020-1989 CVE-2020-1989 GlobalProtect Agent: Incorrect privilege assignment allows local privilege escalation Severity 7 . HIGH Attack Vector LOCAL Attack Complexity HIGH Privileges Required LOW User Interaction NONE Scope UNCHANGED Confidentiality Impact HIGH Integrity Impact HIGH Availability Impact HIGH NVD JSON Published: 2020-04-08 Updated: 2020-04-08 Ref#: GPC-9358 Description An incorrect privilege assignment vulnerability when writing application-specific files in the Palo Alto Networks GlobalProtect Agent for Linux on ARM platform allows a local authenticated user to gain root privileges on the system. This issue affects Palo Alto Networks GlobalProtect Agent for Linux 5.0 versions before 5.0.8; 5.1 versions before 5.1.1. Product Status GlobalProtect Agent Versions Affected Unaffected 5.0 < 5.0.8 on Linux ARM >= 5.0.8 on Linux ARM 5.1 < 5.1.1 on Linux ARM >= 5.1.1 on Linux ARM Severity: HIGH CVSSv3.1 Base Score: 7 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) Solution This issue is fixed in GlobalProtect Agent 5.0.8, GlobalProtect Agent 5.1.1 and all later versions. Workarounds and Mitigations There are no viable workarounds for this issue. Timeline 2020-04-08 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2020 Palo Alto Networks, Inc. All rights reserved. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXo6mI2aOgq3Tt24GAQiVUA//S1SWZHjSkgn5sxB7tz8dOAhdqgs/Pjsq ZtrJigi7JITqSFaoMwY1E9H6GeL7f5PUD5C1Bq4GXPXlBtF3z+W7yfneAWjFUoSS 3loKmnmlM70Vss2pDjXVToVI6JFCvY+OBdG+5RdBRgXaBJDySFYlYBxo7m0FEZnZ ugDv16OQ1GM6JmJGQvZUxfHbQbRw/rhiTVRCm3HOgKNWTUHqRd2bdj09g5bY2O/b 2rZkdHijm67v3JI5g8C+lUz7l2SSi64T4Ec77hT214kNpTP/nL5H42/gPrzfdJ4i K4+tgRTZvedJZGymNfumSL1D+ad1aNdu9CZ3etuuDuzoSNMzhggnC6cpaq/46dgv 1Vt7+/+5XZnQKe16/Tvx5fhhv0dwPIEohKSGf/Z0L/k7Eex1U6X8qiYgMcaamIIv z2KvLfV0duHVRok/t3kL/2uTb9/on0VQL1pLnAGzQpSKGwlLGtgqgl5nPAmAGO31 QpGNEB/vODLxJbnbkS4XbaC3+qnhFdsb3hUB8WaKDFiDf79mTb0K6Fu3DZSWvL2b 7BNXfAsbxlihSn0//HkRVMJkDrXl9jZ+vl8L1KMwrhGO48PWlZOSyzmp9KyF2RSH W0/SF71YRwmq6V5CHmGQuDArXTq4mMiNX5O6weaACT5JoTyEDiSOEN8EHbfqBLsW TmosMxC/y+E= =dXjy -----END PGP SIGNATURE-----