Palo Alto Networks User-ID Credential Agent Privilege Escalation Vulnerability via Service Account Password Exposure

A vulnerability allowing information exposure has been identified in the Palo Alto Networks User-ID Credential Agent for Windows. Under certain non-default configurations, this vulnerability can reveal the service account password, enabling an unprivileged Domain User to escalate privileges by exploiting the account's permissions. The impact of this vulnerability varies depending on the account's privilege level. For minimally privileged accounts, it could disrupt User-ID Credential Agent operations, such as uninstalling or disabling the agent service, and weaken network security policies that rely on Credential Phishing Prevention under a Domain Credential Filter configuration. For elevated accounts, such as Server Operators or those with Domain Join privileges, the vulnerability could lead to greater impacts, including unauthorized control over servers, manipulation of domain objects, and network compromise through reconnaissance or client probing.

Impact

Exploitation of this vulnerability could allow an unprivileged Domain User to escalate privileges by accessing the service account password, with the potential to disrupt User-ID Credential Agent operations or, for those with elevated accounts, gain unauthorized control over servers and manipulate domain objects.

Remediation

Users with the User-ID Credential Agent version 11.0.0 prior to 11.0.2-133 on Windows should upgrade to version 11.0.3 or later. For those on versions 11.0.0 through 11.0.1-104, no action is needed. Additionally, review the 'Allow log on locally' setting in the Default Domain Controllers Policy to remove any Domain Users listed, as this can reduce privilege escalation risks.