A critical vulnerability (CVE-2024-5921) has been identified in Palo Alto Networks’ GlobalProtect app, which poses a significant risk to endpoint security. This flaw allows attackers to exploit insufficient certification validation, potentially enabling unauthorized installation of malicious root certificates and subsequent deployment of malware. Although no active exploitation has been reported, public exploit code and discussions highlight the urgency of mitigation.
Key Details
- CVE ID: CVE-2024-5921
- Type of Vulnerability: Insufficient Certification Validation
- Severity: Critical
- Affected Products:
- Windows: GlobalProtect app 6.3, 6.1, 6.0, 5.1, UWP App; versions of 6.2 prior to 6.2.6.
- macOS/Linux: All versions of GlobalProtect app 6.2.
- Exploit Availability:
- Public exploit code exists, although no confirmed active exploitation has been reported.
Attack Vector
The vulnerability allows attackers to connect the GlobalProtect app to arbitrary servers. This connection facilitates the installation of malicious root certificates, which could be abused to sign and deliver malicious software.
Impact Assessment
- Potential Consequences:
- Compromise of endpoint security.
- Full attacker control over endpoints.
- Network compromise through trusted certificate abuse.
- Risk Level: High
Mitigation and Recommendations
1. Upgrade to Secure Versions
- For Windows: Update to GlobalProtect app 6.2.6 or newer versions.
- For macOS/Linux: Upgrade to the latest compatible version of GlobalProtect.
2. Enable FIPS-CC Mode
- Enforces strict certificate validation by default.
3. Deployment with Secure Parameters
Use the following installation command to ensure strict certificate validation:
msiexec.exe /i GlobalProtect64.msi FULLCHAINCERTVERIFY=”yes” CERTSTORE=”machine” CERTLOCATION=”ROOT”
- Recommended settings:
- CERTSTORE: “machine” (preferred) or “user”.
- CERTLOCATION: “ROOT” (preferred), “MY,” or other trusted locations.
- Default: Certificates are loaded from the root of the machine store.
Indicators of Compromise (IoCs)
- Unauthorized Certificates:
Look for unapproved root certificates added to the trust store. - Unusual Network Activity:
Connections to unknown or suspicious servers from endpoints running the vulnerable app.
Action Plan
- Immediate Response:
- Audit current GlobalProtect installations for version and configuration compliance.
- Remove any untrusted certificates from affected endpoints.
- Preventive Measures:
- Upgrade to recommended versions or enable FIPS-CC mode as a temporary mitigation.
- Deploy updated versions with validated certificates using strict installation parameters.
- Monitoring and Validation:
- Continuously monitor endpoint behavior for anomalous activity.
- Implement certificate management best practices to reduce exposure.
CVE-2024-5921 represents a critical threat to organizations using Palo Alto Networks’ GlobalProtect app. Swift action is required to mitigate potential exploitation. Follow the outlined recommendations to secure your environment and minimize risk.
