Palo Alto Networks PAN-OS软件存在信息暴露漏洞，可能导致GlobalProtect终端用户获取相关密码，文章介绍了漏洞详情、受影响版本、解决办法等。

📌该漏洞存在于Palo Alto Networks PAN-OS软件中，使GlobalProtect终端用户能得知配置的GlobalProtect卸载密码及配置的禁用或断开连接密码，存在安全风险。

📌受影响的产品版本包括多个GlobalProtect App版本及部分PAN-OS版本，详细列出了具体的版本范围。

📌针对该漏洞，提供了修复方案，如在特定版本中进行修复，同时为保持GlobalProtect应用功能，需对相应软件进行更新，并给出了具体的操作建议。

📌还提到了一些缓解措施，如更改相关设置为特定值，以降低漏洞带来的风险。

Palo Alto Networks Security Advisories /CVE-2024-8687CVE-2024-8687 PAN-OS: Cleartext Exposure of GlobalProtect Portal PasscodesUrgencyMODERATEResponse EffortMODERATERecoveryAUTOMATICValue DensityDIFFUSEAttack VectorLOCALAttack ComplexityLOWAttack RequirementsNONEAutomatableNOUser InteractionNONEProduct ConfidentialityHIGHProduct IntegrityNONEProduct AvailabilityLOWPrivileges RequiredLOWSubsequent ConfidentialityNONESubsequent IntegrityNONESubsequent AvailabilityNONENVDJSON Published2024-09-11 Updated2024-09-11ReferencePAN-204689 andGPC-16848DiscoveredexternallyDescriptionAn information exposure vulnerability exists in Palo Alto Networks PAN-OS software that enables a GlobalProtect end user to learn both the configured GlobalProtect uninstall password and the configured disable or disconnect passcode. After the password or passcode is known, end users can uninstall, disable, or disconnect GlobalProtect even if the GlobalProtect app configuration would not normally permit them to do so.Product StatusVersionsAffectedUnaffectedCloud NGFW NoneAllGlobalProtect App 6.3NoneAllGlobalProtect App 6.2< 6.2.1>= 6.2.1GlobalProtect App 6.1< 6.1.2>= 6.1.2GlobalProtect App 6.0< 6.0.7>= 6.0.7GlobalProtect App 5.2< 5.2.13>= 5.2.13GlobalProtect App 5.1< 5.1.12>= 5.1.12PAN-OS 11.2NoneAllPAN-OS 11.1NoneAllPAN-OS 11.0< 11.0.1>= 11.0.1PAN-OS 10.2< 10.2.4>= 10.2.4PAN-OS 10.1< 10.1.9>= 10.1.9PAN-OS 10.0< 10.0.12>= 10.0.12PAN-OS 9.1< 9.1.16>= 9.1.16PAN-OS 9.0< 9.0.17>= 9.0.17PAN-OS 8.1< 8.1.25>= 8.1.25Prisma Access < 10.2.9 on PAN-OS>= 10.2.9 on PAN-OSRequired Configuration for ExposureImpacted systems are those on which any of the following features are enabled: Network > GlobalProtect > Portals > <portal-config> > Agent > <agent-config> > App > Allow User to Disable GlobalProtect App > Allow with Passcode Network > GlobalProtect > Portals > <portal-config> > Agent > <agent-config> > App > Allow user to disconnect GlobalProtect App > Allow with Passcode Network > GlobalProtect > Portals > <portal-config> > Agent > <agent-config> > App > Allow User to Uninstall GlobalProtect App > Allow with PasswordSeverity:MEDIUMCVSSv4.0Base Score:6.9 (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:M/U:Amber)Exploitation StatusPalo Alto Networks is not aware of any malicious exploitation of this issue.Weakness TypeCWE-497 Exposure of Sensitive System Information to an Unauthorized Control SphereSolutionThis issue is fixed in PAN-OS 8.1.25, PAN-OS 9.0.17, PAN-OS 9.1.16, PAN-OS 10.0.12, PAN-OS 10.1.9, PAN-OS 10.2.4, PAN-OS 11.0.1, and all later PAN-OS versions. It is also fixed in Prisma Access 10.2.9 and all later Prisma Access versions. To maintain GlobalProtect app functionality for the vulnerable features, we released a corresponding software update for GlobalProtect app 5.1.12, GlobalProtect app 5.2.13, GlobalProtect app 6.0.7, GlobalProtect app 6.1.2, and GlobalProtect app 6.2.1, and all later GlobalProtect app versions.To maintain the ability for end users to use the uninstall password feature and the disable or disconnect passcode feature, you must ensure that you upgrade all GlobalProtect app deployments to a fixed version before you upgrade your PAN-OS software to a fixed version.All fixed versions of GlobalProtect are backwards compatible with vulnerable versions of PAN-OS software. However, fixed versions of PAN-OS software are not backwards compatible with vulnerable versions of GlobalProtect.You can find additional information for PAN-204689 here: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-0-known-and-addressed-issues/pan-os-11-1-0-known-issuesPrisma Access customers can open a support case to request an upgrade.Workarounds and MitigationsChange the following two settings (if enabled) to "Allow with Ticket": Network > GlobalProtect > Portals > <portal-config> > Agent > <agent-config> > App > Allow User to Disable GlobalProtect App Network > GlobalProtect > Portals > <portal-config> > Agent > <agent-config> > App > Allow user to disconnect GlobalProtect AppChange the following setting (if enabled) to "Disallow": Network > GlobalProtect > Portals > <portal-config> > Agent > <agent-config> > App > Allow User to Uninstall GlobalProtect AppAcknowledgmentsPalo Alto Networks thanks Claudiu Pancotan for discovering and reporting this issue.Timeline2024-09-11Initial publication