Palo Alto 安全中心 2024年11月14日
CVE-2024-5918 PAN-OS: Improper Certificate Validation Enables Impersonation of a Legitimate GlobalProtect User (Severity: LOW)
index_new5.html
../../../zaker_core/zaker_tpl_static/wap/tpl_guoji1.html

 

Palo Alto Networks PAN-OS软件存在一个证书验证漏洞,攻击者可以通过精心制作的客户端证书,以其他合法用户的身份连接到受影响的GlobalProtect门户或网关。该漏洞仅在配置了GlobalProtect门户或网关使用客户端证书认证,且将"允许使用用户凭据或客户端证书进行身份验证"选项设置为"是"的防火墙上存在。用户可以通过检查防火墙Web界面中的条目来验证是否配置了GlobalProtect门户或网关,并检查客户端证书认证是否已配置。该漏洞已在PAN-OS 10.1.11、PAN-OS 10.2.4-h5、PAN-OS 10.2.5、PAN-OS 11.0.3及更高版本中修复。用户可以通过将"允许使用用户凭据或客户端证书进行身份验证"选项设置为"否"来缓解此问题。

⚠️ **漏洞描述:** Palo Alto Networks PAN-OS软件存在一个不正确的证书验证漏洞,允许授权用户使用特制客户端证书以其他合法用户的身份连接到受影响的GlobalProtect门户或网关。

🖥️ **影响范围:** 仅影响配置了GlobalProtect门户或网关使用客户端证书认证,且将"允许使用用户凭据或客户端证书进行身份验证"选项设置为"是"的防火墙。

🔎 **验证方法:** 用户可以通过检查防火墙Web界面中的条目来确认是否配置了GlobalProtect门户或网关,以及是否启用了客户端证书认证。

🛡️ **修复方案:** PAN-OS 10.1.11、PAN-OS 10.2.4-h5、PAN-OS 10.2.5、PAN-OS 11.0.3及更高版本已修复此问题。

🚫 **缓解措施:** 将"允许使用用户凭据或客户端证书进行身份验证"选项设置为"否"可以缓解此问题。

An improper certificate validation vulnerability in Palo Alto Networks PAN-OS software enables an authorized user with a specially crafted client certificate to connect to an impacted GlobalProtect portal or GlobalProtect gateway as a different legitimate user. This attack is possible only if you "Allow Authentication with User Credentials OR Client Certificate."This issue impacts only firewalls on which you configured a GlobalProtect portal or GlobalProtect gateway to use Client Certificate Authentication and you set the "Allow Authentication with User Credentials OR Client Certificate" option to "Yes".You can verify whether you configured GlobalProtect portal or gateway by checking for entries in your firewall web interface (Network > GlobalProtect > Portals or Network > GlobalProtect > Gateways).If you do have GlobalProtect portals or gateways in your configuration, then you can verify whether you configured Client Certificate Authentication on these portals and gateways by checking your firewall web interface (Network > GlobalProtect > Portals > <portal-config> > Authentication or Network > GlobalProtect > Gateways > <gateway-config> > Authentication).Palo Alto Networks is not aware of any malicious exploitation of this issue.This issue is fixed in PAN-OS 10.1.11, PAN-OS 10.2.4-h5, PAN-OS 10.2.5, PAN-OS 11.0.3, and all later PAN-OS versions.You can mitigate this issue by setting the "Allow Authentication with User Credentials OR Client Certificate" option to "No." Additional information is available here:cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h4::::::cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h3::::::cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h2::::::cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h1::::::cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:-::::::cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h4::::::cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h3::::::cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h2::::::cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h1::::::cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:-::::::cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h3::::::cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h2::::::cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h1::::::cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:-::::::cpe:2.3:o:paloaltonetworks:pan-os:11.0:-::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h4::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h3::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h2::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h1::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:-::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h13::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h12::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h11::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h10::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h9::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h8::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h7::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h6::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h5::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h4::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h3::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h2::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h1::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:-::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h5::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h4::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h3::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h2::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h1::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:-::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h2::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h1::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:-::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h3::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h2::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h1::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:-::::::cpe:2.3:o:paloaltonetworks:pan-os:10.2:-::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h5::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h4::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h3::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h2::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h1::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:-::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h8::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h7::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h6::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h5::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h4::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h3::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h2::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h1::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:-::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h7::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h6::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h5::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h4::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h3::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h2::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h1::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:-::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:h1::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:-::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h8::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h7::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h6::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h5::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h4::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h3::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h2::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h1::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:-::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h4::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h3::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h2::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h1::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:-::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h6::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h5::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h4::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h3::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h2::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h1::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:-::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:h3::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:h2::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:h1::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:-::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.2:-::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.1:-::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1.0:-::::::cpe:2.3:o:paloaltonetworks:pan-os:10.1:-::::::Show MoreShow Less

Fish AI Reader

Fish AI Reader

AI辅助创作,多种专业模板,深度分析,高质量内容生成。从观点提取到深度思考,FishAI为您提供全方位的创作支持。新版本引入自定义参数,让您的创作更加个性化和精准。

FishAI

FishAI

鱼阅,AI 时代的下一个智能信息助手,助你摆脱信息焦虑

联系邮箱 441953276@qq.com

相关标签

PAN-OS 证书验证漏洞 GlobalProtect 防火墙 安全更新
相关文章
FortiProxy 7.2.9
Threat actors may have exploited a zero-day in older iPhones, Apple warns
Adobe fixed multiple critical flaws in Acrobat and Reader
Google fixes eighth actively exploited Chrome zero-day this year, the third in a month
Zyxel addressed three RCEs in end-of-life NAS devices
北约发布有关俄罗斯威胁的最新消息 - Newsweek
HTTP/3 需要我们(和其他人)更改防火墙 (2021)
尽快更新!Pixel 设备曝出零日漏洞
纬创据悉将投资7.94亿新台币在越南建新厂