Palo Alto Networks GlobalProtect 应用程序存在一个漏洞，可能导致在应用程序日志中泄露用于连接到 GlobalProtect 的加密用户凭据。这些日志通常只能由本地用户查看，并在生成用于故障排除的日志时包含在内。这意味着这些加密凭据会暴露给应用程序日志的接收者。

😨 **加密凭据泄露风险:** 漏洞会导致 GlobalProtect 应用程序日志中泄露加密的用户凭据，这些日志通常只能由本地用户查看，并用于故障排除。这意味着加密凭据可能会暴露给应用程序日志的接收者。

🔐 **漏洞影响版本:** 受影响的版本包括 GlobalProtect 应用程序 6.2 版本低于 6.2.3、GlobalProtect 应用程序 6.1 版本低于 6.1.3、GlobalProtect 应用程序 6.0 版本低于 6.0.8 以及 GlobalProtect 应用程序 5.1 版本低于 5.1.12。

🛠️ **解决方案:** 该问题已在 GlobalProtect 应用程序 5.1.12、GlobalProtect 应用程序 6.0.8、GlobalProtect 应用程序 6.1.3、GlobalProtect 应用程序 6.2.3 及更高版本中修复。为了防止加密密码泄露，用户应首先从所有端点的 GlobalProtect 安装目录中删除 PanGPS.log 文件，然后强制轮换用于连接到 GlobalProtect 的用户密码。

🤝 **致谢:** Palo Alto Networks 感谢 GMO Cybersecurity by IERAE 的 Denis Faiustov 和 Ruslan Sayfiev 发现并报告了此问题。

🗓️ **时间线:** 2024 年 6 月 12 日发布了此漏洞的初始公告。

Palo Alto Networks Security Advisories /CVE-2024-5908CVE-2024-5908 GlobalProtect App: Encrypted Credential Exposure via Log FilesUrgencyMODERATEResponse EffortMODERATERecoveryUSERValue DensityDIFFUSEAttack VectorNETWORKAttack ComplexityLOWAttack RequirementsPRESENTAutomatableNOUser InteractionACTIVEProduct ConfidentialityLOWProduct IntegrityNONEProduct AvailabilityNONEPrivileges RequiredNONESubsequent ConfidentialityHIGHSubsequent IntegrityHIGHSubsequent AvailabilityHIGHNVDJSON Published2024-06-12 Updated2024-06-12ReferenceGPC-18597DiscoveredexternallyDescriptionA problem with the Palo Alto Networks GlobalProtect app can result in exposure of encrypted user credentials, used for connecting to GlobalProtect, in application logs. Normally, these application logs are only viewable by local users and are included when generating logs for troubleshooting purposes. This means that these encrypted credentials are exposed to recipients of the application logs.Product StatusVersionsAffectedUnaffectedGlobalProtect App 6.2< 6.2.3>= 6.2.3GlobalProtect App 6.1< 6.1.3>= 6.1.3GlobalProtect App 6.0< 6.0.8>= 6.0.8GlobalProtect App 5.1< 5.1.12>= 5.1.12Severity:MEDIUMCVSSv4.0Base Score:5.5 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/AU:N/R:U/V:D/RE:M/U:Amber)Exploitation StatusPalo Alto Networks is not aware of any malicious exploitation of this issue.Weakness TypeCWE-532: Insertion of Sensitive Information into Log FileSolutionThis issue is fixed in GlobalProtect app 5.1.12, GlobalProtect app 6.0.8, GlobalProtect app 6.1.3, GlobalProtect app 6.2.3, and all later GlobalProtect app versions.Customers looking to protect against the impact of this encrypted password disclosure should first delete PanGPS.log files from the GlobalProtect installation directory on all endpoints and then force a rotation of user passwords that are used to connect to GlobalProtect.AcknowledgmentsPalo Alto Networks thanks Denis Faiustov and Ruslan Sayfiev of GMO Cybersecurity by IERAE for discovering and reporting this issue.Timeline2024-06-12Initial publication