Remote code execution vulnerability disclosed in Palo Alto Network’s GlobalProtect SSL VPN


Two cybersecurity researchers have publicly disclosed a remote code execution vulnerability in Palo Alto Network’s GlobalProtect Secure Socket Layer (SSL) virtual private network (VPN) that the company had previously discovered and silently patched.

Orange Tsai and Meh Chang, of DevCore Security Consulting, blogged that they came across the flaw while conducting a red team security assessment of the service. The two at first believed they had stumbled across a zero day, but quickly determined that it was a known vulnerability. They then conducted and in-depth search, but could not find a CVE or security advisory that covered the problem so they proceeded believing it was still unknown.

“The bug is very straightforward. It is just a simple format string vulnerability with no authentication required!,” they wrote.

A look at the analysis by Tenable noted an unauthenticated attacker could exploit the vulnerability just by sending a specially crafted request to a vulnerable SSL VPN target in order to remotely execute code on the system.

The affected versions are GlobalProtect SSL VPN 7.1.x < 7.1.19, 8.0.x < 8.0.12 and 8.1.x < 8.1.3. Newer versions are not vulnerable primarily because Palo Alto Networks conducted an undisclosed fix. Tsai and Chang found out this information after they had notified the company and was told the issue was previously known and fixed.

Palo Alto Networks confirmed to SC Media that the fix was made.

"The security of our customers is our top priority. This GlobalProtect vulnerability was fixed during previous PAN-OS releases. On July 18th, Palo Alto Networks released a Security Advisory to encourage customers to update as soon as possible," the company wrote.

Since the public disclosure, Palo Alto Networks has assigned CVE-2019-1579 to the problem and issued an advisory.

As part of their research Tsai and Chang searched for any large corporations that were still running the affected software versions and found Uber was still vulnerable. The two notified the ride-sharing company and it fixed the problem.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.