A privilege escalation vulnerability (CVE-2024-9473) has been discovered in the Palo Alto Networks GlobalProtect app on Windows operating systems. This vulnerability enables a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY/SYSTEM, which poses a significant security risk to affected systems.
How the Vulnerability Works
The GlobalProtect app on Windows allows any local user to initiate a repair action via the .msi file used to install the application. During this repair process, the affected systems set the permissions of the GlobalProtect directories to NT AUTHORITY/SYSTEM, thus allowing a low-privilege user to escalate their permission level to gain full system control.
PoC Code Snippet
The following proof-of-concept (PoC) shows how to escalate privileges using the CVE-2024-9473 vulnerability:
# Step 1: Save the following PowerShell code into a .ps1 file, e.g., exploit.ps1
$process = Start-Process "msiexec" -ArgumentList "/fa {ENTER-GLOBALPROTECT-MSI-GUID-HERE} /qb" -Wait -PassThru
Write-Host "Repair process completed. Return code:" $process.ExitCode
You can find it on the right side of the table displayed after running the
`
3. Replace {ENTER-GLOBALPROTECT-MSI-GUID-HERE} in the PoC code snippet (exploit.ps1) with the obtained GUID.
Affected Versions
Palo Alto Networks GlobalProtect app 5. on Windows operating systems.
Solution
Palo Alto Networks has released an updated version of the GlobalProtect app that addresses this vulnerability. It is recommended to upgrade the GlobalProtect app to GlobalProtect version 5.1 or later.
Links to Original References
1. Palo Alto Networks Advisory CVE-2024-9473
2. GlobalProtect app release notes
Conclusion
It is crucial for organizations to keep their software and systems up-to-date to protect themselves from security vulnerabilities such as CVE-2024-9473. Additionally, routinely applying security patches and updates will prevent exposure to other vulnerabilities that may arise over time, ensuring that critical systems remain secure.
Timeline
Published on: 10/09/2024 17:15:21 UTC
Last modified on: 10/18/2024 11:59:17 UTC