Critical vulnerability in Palo Alto GlobalProtect SSL VPN software allows attackers to execute arbitrary code

• The vulnerability tracked as CVE-2019-1579 impacts all companies that use the GlobalProtect software, including the ride-sharing platform Uber.
• The impacted versions include PAN-OS 7.1.18, PAN-OS 8.0.11, and PAN-OS 8.1.2.

What is the issue?

A critical remote code execution vulnerability has been detected in the Palo Alto GlobalProtect portal and GlobalProtect Gateway products.

What is the vulnerability?

The critical vulnerability was discovered by security researchers Orange Tsai and Meh Chang during Red Team assessment services.

• The vulnerability tracked as CVE-2019-1579 impacts all companies that use the GlobalProtect software, including ride-sharing platform Uber.
• This vulnerability could be exploited by attackers to perform arbitrary code execution.
• The impacted versions include PAN-OS 7.1.18, PAN-OS 8.0.11, and PAN-OS 8.1.2.
• Attackers could exploit the vulnerability by sending a specially crafted request to a vulnerable SSL VPN.
• The vulnerability exists because the gateway passes the value of a particular parameter to ‘snprintf’ in an unsanitized pattern.

“The researchers sought to identify whether any large organizations might be running a vulnerable version of GlobalProtect. They found that popular ride-hailing service, Uber, was running an unpatched version. They confirmed their exploit worked against Uber and reported their findings,” Tenable said in a blog.

Patch available

Palo Alto Networks has patched the vulnerability in its latest versions PAN-OS 7.1.19, PAN-OS 8.0.12, PAN-OS 8.1.3.

“If you have not already upgraded to the available updates listed above and cannot do so now, we recommend that you update to content release 8173, or a later version, and confirm threat prevention is enabled and enforced on traffic that passes through the GlobalProtect portal and GlobalProtect Gateway interface,” the security advisory read.