Palo Alto Networks has silently patched a critical remote code execution vulnerability in its enterprise GlobalProtect SSL VPN, which runs on Palo Alto Networks’ firewall devices.

Administrators who have still not upgraded to the fixed PAN-OS versions are urged to do so quickly, as researchers have released PoC attack code that could soon be modified by motivated attackers.

About the vulnerability (CVE-2019-1579)

CVE-2019-1579 affects the GlobalProtect portal and GlobalProtect Gateway interface.

“The bug is very straightforward. It is just a simple format string vulnerability with no authentication required,” Devcore researchers Orange Tsai and Meh Chang noted.

CVE-2019-1579 can be exploited by an unauthenticated attacker by simply sending a specially crafted request to a vulnerable device.

The researchers searched for organizations running a vulnerable version of GlobalProtect and discovered that Uber had one. They “pwned” the device by using the exploit, created a webshell on it, and then notified Uber about it.

“SSL VPNs protect corporate assets from Internet exposure, but what if SSL VPNs themselves are vulnerable? They’re exposed to the Internet, trusted to reliably guard the only way to your intranet. Once the SSL VPN server is compromised, attackers can infiltrate your Intranet and even take over all users connecting to the SSL VPN server,” the researchers explained the danger of the vulnerability,

When the researchers first discovered the flaw, they also discovered that the latest PAN-OS version (v9.0) wasn’t vulnerable.

As it turned out, Palo Alto Networks discovered it before they did, but silently patched it and didn’t tell anyone about it.

That might turn out to be a bad call, as there are still many vulnerable GlobalProtect deployments out there:

Palo-Alto have dropped a massive bollock here, they didn't assign a CVE and didn't tell people it appears – result is thousands of major companies are still vulnerable to a format string (!) vulnerability which looks like it belongs in 1997 on their internet gateways. pic.twitter.com/JG5gkv4Fvy — Kevin Beaumont (@GossiTheDog) July 18, 2019

And with the PoC public, chances are good that attackers will soon start scanning organizations to discover whether they are open to attack.

What now?

The confirmed vulnerable versions are:

PAN-OS 7.1.18 and earlier

PAN-OS 8.0.11 and earlier, and

PAN-OS 8.1.2 and earlier.

Admins are advised to check whether they are running one of those (they can do so by looking for certain files, as explained by the researchers) and to upgrade to a safe release:

PAN-OS 7.1.19 and later

PAN-OS 8.0.12 and later

PAN-OS 8.1.3 and later.

“If you have not already upgraded to the available updates listed above and cannot do so now, we recommend that you update to content release 8173, or a later version, and confirm threat prevention is enabled and enforced on traffic that passes through the GlobalProtect portal and GlobalProtect Gateway interface. You are not affected if you do not have GlobalProtect enabled, ” Palo Alto Networks added in a security advisory released last week.