Last week, researchers Orange Tsai and Meh Chang published technical details of a critical remote code execution vulnerability that affects Palo Alto Networks’s GlobalProtect
The vulnerability, tracked as CVE-2019-1579, affects the GlobalProtect portal and GlobalProtect Gateway interface products. An
“Palo Alto Networks is aware of the reported remote code execution (RCE) vulnerability in its GlobalProtect portal and GlobalProtect Gateway interface products. The issue is already addressed in prior maintenance releases.
The researchers also published the PoC code for the vulnerability and described how to determine is an install is vulnerable by using a simple command.
Affected products are PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11 and earlier, and PAN-OS 8.1.2 and earlier releases. PAN-OS 9.0 is not affected.
Palo Alto Networks addressed the flaw with the release of PAN-OS versions 7.1.19, 8.0.12 and 8.1.3. Earlier versions are impacted.
“About the vulnerability, we accidentally discovered it during our Red Team assessment services.” “The bug is very straightforward. It is just a simple format string vulnerability with no authentication required!”
According to experts at Tenable that analyzed the CVE-2019-1579 flaw, the issue exists because the gateway doesn’t sanitize the value of a particular parameter passed to
“More specifically, the vulnerability exists because the gateway passes the value of a particular parameter to
Orange Tsai and Meh Chang reported the flaw to Palo Alto Networks, the company acknowledged the
The security duo searched for major organizations using vulnerable versions of GlobalProtect and discovered that Uber is one of them. Uber, in fact, runs 22 servers that implement VPN access to the company.
Uber confirmed the
“During our internal investigation, we found that the Palo Alto SSL VPN is not the same as the primary VPN which is used by the majority of our employees.” Uber replied.
“Additionally, we hosted the Palo Alto SSL VPN in AWS as opposed to our core infrastructure; as such, this would not have been able to access any of our internal infrastructure or core services. For these reasons, we determined that while it was an
|[adrotate banner=”9″]||[adrotate banner=”12″]|