Palo Alto Networks GlobalProtect 应用存在证书验证不足的漏洞（CVE-2024-5921），攻击者可以利用该漏洞连接到任意服务器，进而安装恶意根证书并在终端设备上安装由恶意根证书签名的恶意软件。该漏洞影响多个版本的 GlobalProtect 应用，包括 6.2 版本（Windows 系统上的 6.2.6 以下版本）等。Palo Alto Networks 已在 GlobalProtect 应用 6.2.6 及更高版本中修复了该漏洞，并提供了安装参数以指定证书存储和位置，用户可以通过安装时设置 FULLCHAINCERTVERIFY 参数为 Yes 或使用 FIPS-CC 模式来缓解此问题。

🤔 **证书验证不足漏洞:** GlobalProtect 应用存在证书验证不足的漏洞（CVE-2024-5921），攻击者可以利用该漏洞连接到任意服务器。

⚠️ **恶意软件安装风险:** 攻击者可以通过该漏洞安装恶意根证书，并进一步安装由恶意根证书签名的恶意软件，从而控制终端设备。

🛡️ **受影响版本:** GlobalProtect 应用 6.3 及以下版本受到影响，其中 Windows 系统上的 GlobalProtect 应用 6.2 版本在 6.2.6 以下版本也存在此漏洞。

🔧 **修复方案:** Palo Alto Networks 已在 GlobalProtect 应用 6.2.6 及更高版本中修复了该漏洞，用户应尽快升级到最新版本。

🩹 **缓解措施:** 用户可以通过在安装 GlobalProtect 时设置 FULLCHAINCERTVERIFY 参数为 Yes 或使用 FIPS-CC 模式来缓解此问题。

Palo Alto Networks Security Advisories /CVE-2024-5921CVE-2024-5921 GlobalProtect App: Insufficient Certificate Validation Leads to Privilege EscalationExploit MaturityPOCResponse EffortMODERATERecoveryUSERValue DensityDIFFUSEAttack VectorLOCALAttack ComplexityLOWAttack RequirementsPRESENTAutomatableNOUser InteractionNONEProduct ConfidentialityNONEProduct IntegrityHIGHProduct AvailabilityNONEPrivileges RequiredLOWSubsequent ConfidentialityNONESubsequent IntegrityHIGHSubsequent AvailabilityNONENVDJSON Published2024-11-26 Updated2024-11-26ReferenceGPC-19860,GPC-19861DescriptionAn insufficient certification validation issue in the Palo Alto Networks GlobalProtect app enables attackers to connect the GlobalProtect app to arbitrary servers. This can enable an attacker to install malicious root certificates on the endpoint and subsequently install malicious software signed by the malicious root certificates on that endpoint.Product StatusVersionsAffectedUnaffectedGlobalProtect App 6.3AllNoneGlobalProtect App 6.2< 6.2.6 on Windows>= 6.2.6GlobalProtect App 6.2All on MacOS, LinuxNone on MacOS, LinuxGlobalProtect App 6.1AllNoneGlobalProtect App 6.0AllNoneGlobalProtect App 5.1AllNoneGlobalProtect UWP AppAll on WindowsNone on WindowsSeverity:MEDIUM, Suggested Urgency:MODERATECVSS-BT:5.6 /CVSS-B:6.8 (CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:P/AU:N/R:U/V:D/RE:M/U:Amber)Exploitation StatusPalo Alto Networks is not aware of any malicious exploitation of this issue. We are aware of a publicly available conference talk discussing this issue.Weakness Type and ImpactCWE-295 Improper Certificate ValidationCAPEC-233 Privilege EscalationSolutionThis issue is fixed in GlobalProtect app 6.2.6 and all later GlobalProtect app 6.2 versions on Windows.Install GlobalProtect with the pre-deployment key FULLCHAINCERTVERIFY set to Yes:msiexec.exe /i GlobalProtect64.msi FULLCHAINCERTVERIFY="yes"To specify the certificate store and the location within the certificate store that is used to load the certificates for certificate validation, install GlobalProtect using the following parameters:msiexec.exe /i GlobalProtect64.msi FULLCHAINCERTVERIFY="yes" CERTSTORE="machine" CERTLOCATION="ROOT"Valid options for CERTSTORE are "machine" (recommended) and "user."Valid options for CERTLOCATION are "ROOT" (recommended), "MY," "trusted publisher," "ca," "truest," "authroot," "smartcardroot," and "userds."If either CERTSTORE or CERTLOCATION is unspecified, the GlobalProtect app will load the certificates from the root of the machine store by default.Workarounds and MitigationsYou can mitigate this issue by using the GlobalProtect app in FIPS-CC mode. For details, review the documentation on how to enable and verify FIPS-CC mode.AcknowledgmentsPalo Alto Networks thanks Maxime ESCOURBIAC, Michelin CERT, Yassine BENGANA, Abicom for Michelin CERT, and Richard Warren and David Cash of AmberWolf for discovering and reporting the issue.Timeline2024-11-26Initial publication