Palo Alto Networks GlobalProtect App Improper Certificate Validation Vulnerability Allows Privilege Escalation

A vulnerability has been identified in the Palo Alto Networks GlobalProtect app, specifically in versions 6.0.0, 6.1.0, 6.2.0 prior to 6.2.8-h3, 6.3.0 prior to 6.3.3-h2 on Windows, and 6.3.0 prior to 6.3.3 on Linux. This vulnerability arises from insufficient certificate validation, which allows attackers to connect the GlobalProtect app to arbitrary servers. As a result, a local non-administrative user or an attacker on the same subnet could install malicious root certificates on the endpoint. This would enable the installation of malicious software signed by the fraudulent root certificates.

Impact

Exploitation of this vulnerability could lead to unauthorized installation of root certificates, allowing for the subsequent installation of malicious software disguised as legitimate, potentially bypassing security measures.

Remediation

Users can upgrade to GlobalProtect App 6.3.3-h2 or 6.2.8-h3 on Windows, or GlobalProtect App 6.3.3 or 6.2.8 on Linux. After upgrading, ensure that the portal/gateway certificate can be validated using the operating system's certificate store, remove any certificates associated with portal/gateway validation from the 'Trusted Root CA' list on the Portal, and enable the portal setting 'Enable Strict Certificate Check'.