Operating System:

[WIN][LINUX]

Published:

09 April 2020

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2020.1276 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.1276
      Palo Alto Networks Security Advisories for GlobalProtect Agent
                               9 April 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           GlobalProtect Agent
Publisher:         Palo Alto
Operating System:  Windows
                   Linux variants
Impact/Access:     Administrator Compromise -- Existing Account
                   Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-1989 CVE-2020-1988 CVE-2020-1987

Original Bulletin: 
   https://securityadvisories.paloaltonetworks.com/CVE-2020-1987
   https://securityadvisories.paloaltonetworks.com/CVE-2020-1988
   https://securityadvisories.paloaltonetworks.com/CVE-2020-1989

Comment: This bulletin contains three (3) Palo Alto security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Palo Alto Networks Security Advisories / CVE-2020-1987

CVE-2020-1987 GlobalProtect Agent: VPN cookie local information disclosure


Severity 2.8 . LOW
Attack Vector LOCAL
Attack Complexity LOW
Privileges Required LOW
User Interaction REQUIRED
Scope UNCHANGED
Confidentiality Impact LOW
Integrity Impact NONE
Availability Impact NONE
NVD JSON     
Published: 2020-04-08
Updated: 2020-04-08
Ref#: GPC-9393

Description

An information exposure vulnerability in the logging component of Palo Alto
Networks GlobalProtect Agent allows a local authenticated user to read VPN
cookie information when the troubleshooting logging level is set to "Dump".

This issue affects Palo Alto Networks GlobalProtect Agent 5.0 versions prior to
5.0.9; 5.1 versions prior to 5.1.1.

Product Status

GlobalProtect Agent

Versions Affected Unaffected
5.0      < 5.0.9  >= 5.0.9
5.1      < 5.1.1  >= 5.1.1

Severity: LOW

CVSSv3.1 Base Score: 2.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

Solution

This issue is fixed in GlobalProtect Agent 5.0.9, GlobalProtect Agent 5.1.1 and
all later versions.

Workarounds and Mitigations

Acknowledgements

Palo Alto Networks thanks Ahmet Hrnjadovic for discovering and reporting this
issue.

Timeline

2020-04-08 Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure
Policy Report vulnerabilitiesManage subscriptions
(C) 2020 Palo Alto Networks, Inc. All rights reserved.

- --------------------------------------------------------------------------------

Palo Alto Networks Security Advisories / CVE-2020-1988

CVE-2020-1988 GlobalProtect Agent: Local privilege escalation due to an
unquoted search path vulnerability


Severity 4.2 . MEDIUM
Attack Vector LOCAL
Attack Complexity LOW
Privileges Required HIGH
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact LOW
Integrity Impact LOW
Availability Impact LOW
NVD JSON     
Published: 2020-04-08
Updated: 2020-04-08
Ref#: GPC-9320

Description

An unquoted search path vulnerability in the Windows release of GlobalProtect
Agent allows an authenticated local user with file creation privileges on the
root of the OS disk (C:\) or to Program Files directory to gain system
privileges.

This issue affects Palo Alto Networks GlobalProtect Agent 5.0 versions before
5.0.5; 4.1 versions before 4.1.13 on Windows;

Product Status

GlobalProtect Agent

Versions      Affected            Unaffected
5.0      < 5.0.5 on Windows  >= 5.0.5 on Windows
4.1      < 4.1.13 on Windows >= 4.1.13 on Windows

Required Configuration

This issue only affects Windows systems where local users are configured with
file creation privileges to the root of the OS disk (C:\) or 'Program Files'
directory.

Severity: MEDIUM

CVSSv3.1 Base Score: 4.2 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L)

Solution

This issue is fixed in GlobalProtect Agent 5.0.5, GlobalProtect Agent 4.1.13
and all later versions.

Workarounds and Mitigations

Do not grant file creation privileges on the root of the OS disk (C:\) or
'Program Files' directory to unprivileged users.

Acknowledgements

Palo Alto Networks thanks Ratnesh Pandey of Bromium and Matthew Batten for
discovering and reporting this issue.

Timeline

2020-04-08 Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure
Policy Report vulnerabilitiesManage subscriptions
(C) 2020 Palo Alto Networks, Inc. All rights reserved.

- --------------------------------------------------------------------------------

Palo Alto Networks Security Advisories / CVE-2020-1989

CVE-2020-1989 GlobalProtect Agent: Incorrect privilege assignment allows local
privilege escalation


Severity 7 . HIGH
Attack Vector LOCAL
Attack Complexity HIGH
Privileges Required LOW
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH
NVD JSON     
Published: 2020-04-08
Updated: 2020-04-08
Ref#: GPC-9358

Description

An incorrect privilege assignment vulnerability when writing
application-specific files in the Palo Alto Networks GlobalProtect Agent for
Linux on ARM platform allows a local authenticated user to gain root privileges
on the system.

This issue affects Palo Alto Networks GlobalProtect Agent for Linux 5.0
versions before 5.0.8; 5.1 versions before 5.1.1.

Product Status

GlobalProtect Agent

Versions       Affected            Unaffected
5.0      < 5.0.8 on Linux ARM >= 5.0.8 on Linux ARM
5.1      < 5.1.1 on Linux ARM >= 5.1.1 on Linux ARM

Severity: HIGH

CVSSv3.1 Base Score: 7 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Solution

This issue is fixed in GlobalProtect Agent 5.0.8, GlobalProtect Agent 5.1.1 and
all later versions.

Workarounds and Mitigations

There are no viable workarounds for this issue.

Timeline

2020-04-08 Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure
Policy Report vulnerabilitiesManage subscriptions
(C) 2020 Palo Alto Networks, Inc. All rights reserved.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXo6mI2aOgq3Tt24GAQiVUA//S1SWZHjSkgn5sxB7tz8dOAhdqgs/Pjsq
ZtrJigi7JITqSFaoMwY1E9H6GeL7f5PUD5C1Bq4GXPXlBtF3z+W7yfneAWjFUoSS
3loKmnmlM70Vss2pDjXVToVI6JFCvY+OBdG+5RdBRgXaBJDySFYlYBxo7m0FEZnZ
ugDv16OQ1GM6JmJGQvZUxfHbQbRw/rhiTVRCm3HOgKNWTUHqRd2bdj09g5bY2O/b
2rZkdHijm67v3JI5g8C+lUz7l2SSi64T4Ec77hT214kNpTP/nL5H42/gPrzfdJ4i
K4+tgRTZvedJZGymNfumSL1D+ad1aNdu9CZ3etuuDuzoSNMzhggnC6cpaq/46dgv
1Vt7+/+5XZnQKe16/Tvx5fhhv0dwPIEohKSGf/Z0L/k7Eex1U6X8qiYgMcaamIIv
z2KvLfV0duHVRok/t3kL/2uTb9/on0VQL1pLnAGzQpSKGwlLGtgqgl5nPAmAGO31
QpGNEB/vODLxJbnbkS4XbaC3+qnhFdsb3hUB8WaKDFiDf79mTb0K6Fu3DZSWvL2b
7BNXfAsbxlihSn0//HkRVMJkDrXl9jZ+vl8L1KMwrhGO48PWlZOSyzmp9KyF2RSH
W0/SF71YRwmq6V5CHmGQuDArXTq4mMiNX5O6weaACT5JoTyEDiSOEN8EHbfqBLsW
TmosMxC/y+E=
=dXjy
-----END PGP SIGNATURE-----