SEC Consult Vulnerability Lab Security Advisory < 20241009-0 >

          title: Local Privilege Escalation via MSI installer  
        product: Palo Alto Networks GlobalProtect  

vulnerable version: 5.1.x, 5.2.x, 6.0.x, 6.1.x, <6.2.5, 6.3.x
fixed version: >=6.2.5, all other versions are not patched yet
CVE number: CVE-2024-9473
impact: high
homepage: https://docs.paloaltonetworks.com/globalprotect
found: 2023-11-16
by: Michael Baer (Office Fürth)
SEC Consult Vulnerability Lab

                 An integrated part of SEC Consult, an Eviden business  
                 Europe | Asia

                 https://www.sec-consult.com

=======================================================================

Vendor description:

“GlobalProtect enables you to use Palo Alto Networks next-gen firewalls or
Prisma Access to secure your mobile workforce.”

Source: https://docs.paloaltonetworks.com/globalprotect

Business recommendation:

The vendor provides a patched version v6.2.5 which should be installed immediately.
Further affected branches will be patched by the vendor in the future, except
branch 5.2.x which is EOL. Users are urged to upgrade to the most recent versions.

SEC Consult highly recommends to perform a thorough security review of the
product conducted by security professionals to identify and resolve potential
further security issues.

Vulnerability overview/description:

1. Local Privilege Escalation via MSI installer (CVE-2024-9473)
   The configuration of the GlobalProtect MSI installer file was found to
   produce a visible conhost.exe window running as the SYSTEM user when using
   the repair function of msiexec.exe. This allows a local, low-privileged
   attacker to use a chain of actions, to open a fully functional cmd.exe
   with the privileges of the SYSTEM user.

Proof of concept:

1. Local Privilege Escalation via MSI installer (CVE-2024-9473)
   For the exploit to work, GlobalProtect has to be installed via the MSI file.
   Afterwards, any low-privileged user can start the repair of GlobalProtect by
   double-clicking the installer and trigger the vulnerable actions
   without a UAC popup. The installer, if deleted from it’s original location,
   can be found in C:\Windows\Installer with a randomized name.

During the repair process, the subprocess PanVCrediChecker.exe gets
called with SYSTEM privileges and performs a read action on the file
"C:\Program Files\Palo Alto Networks\GlobalProtect\libeay32.dll".

This can be used by an attacker by simply setting an oplock on the file.
As soon as it gets read, the process is blocked until the lock is released.
To do that, one can use the ‘SetOpLock.exe’ tool from
“https://github.com/googleprojectzero/symboliclink-testing-tools”
with the following parameters:

SetOpLock.exe “C:\Program Files\Palo Alto Networks\GlobalProtect\libeay32.dll” x
See figure 1 [lock.webp]

During the repair process, the locked file is accessed several times. The lock
has to be released by pressing ENTER five times before the conhost.exe
window opens. For the sixth request, the lock should not be released to keep the
window open. The conhost window that gets opened when PanVcrediChecker.exe is
executed doesn’t close and can then be interacted with.

The attacker can then perform the following actions to
spawn a SYSTEM shell:

• Right click on the top bar of the window
• Click on properties [ see figure 2 openbrowser.webp]
• Under options, click on the “new console features” link [see figure 2
  openbrowser.webp]
• Open the link with e.g. firefox or chrome [see figure 2 openbrowser.webp]
• In the opened browser window press the key combination CTRL+o
• Type cmd.exe in the top bar and press Enter [see figure 3 cmd.webp]

Note that this does not work using a recent version of the Edge Browser.

Vulnerable / tested versions:

The following versions have been tested which were the only versions
available to SEC Consult at the time of the test. SEC Consult was not
entirely sure, which exact version the product was:

• ProductVersion as stated by the PropertyTable: 5.2.10
• Version as stated by Windows after installing: 5.1.5
• 6.1.2 is affected as well

The vendor confirmed that versions <6.2.5 are affected. Furthermore,
all other branches 5.1.x, 5.2.x, 6.0.x, 6.1.x and 6.3.x are affected
as well. Branch 5.2.x is end of life according to the vendor and will
not be patched.

Vendor contact timeline:

2023-11-17: Contacting vendor through [email protected]
asking for most recent software version
2023-11-21: Vendor confirms receipt of contact
2023-11-23: Vendor denies providing most recent version and asks for
full technical report via their online form:
https://security.paloaltonetworks.com/report
Note: Submitting the advisory draft via online form
repeatedly results in server errors
2023-11-23: Sending the advisory via [email protected]
2024-01-11: Contacting vendor through [email protected]
asking for confirmation of receiving the advisory and
status of their triage.
2024-01-12: Vendor confirms receiving the advisory.
The issue is tracked internally.
2024-03-06: Contacting vendor through [email protected]
asking for update of the vulnerability.
2024-04-02: The vendor notifies that the product team is working
on the report.
2024-04-08: Asking vendor to notify about updates and the timeline
of a fix.
2024-04-24: Vendor was able to reproduce the issue, but not in the
most recent versions. 5.1.5 is affected, but not 5.2.10
nor 5.1.12, nor 6.2.2.
2024-05-23: Asking vendor about affected/fixed versions and regarding
CVE number.
2024-05-30: Vendor apologizes for version confusion, following up with team
internally. Vendor plans to publish an advisory with CVE, but
no date yet, asks us to wait/coordinate our advisory with theirs.
2024-06-03: Answering that we will wait for their release & advisory.
2024-06-17: Asking for a status update regarding the version numbers &
advisory release.
Vendor: no ETA/timeline yet, no version information.
2024-09-25: Asking for a status update regarding the vendor advisory and for
confirmation of the available fixes.
2024-09-27: Vendor investigated further and previous versions are unfortunately
affected as well. Product team works on a fix, advisory & CVE
release scheduled for 9th October 9 AM PT.
2024-09-27: Acknowledging the coordinated advisory release for 9th October.
2024-10-03: Vendor communicates further information regarding affected versions
and their advisory draft.
2024-10-07: Vendor confirms 5.2.x as affected as well, but is EOL without fix.
2024-10-09: Coordinated release of security advisory.

Solution:

The vendor provides an updated version v6.2.5 which fixes the issues for this
specific branch. Other versions are not yet patched and will be fixed in future
releases.

Further information can be found at the vendor’s website.
https://security.paloaltonetworks.com

Users are urged to upgrade to the latest version and remove old versions
of the MSI installer, especially users of v5.2.x as this branch is EOL and won’t
receive an update.

SEC Consult has also released a blog post on 12th September 2024 regarding MSI
installer security issues tracked as CVE-2024-38014 and a general fix by
Microsoft. We have contacted Microsoft to have a more general solution for
every affected vendor. For further details check out the blog post:
https://r.sec-consult.com/msi

Workaround:

None

Advisory URL:

https://sec-consult.com/vulnerability-lab/

SEC Consult Vulnerability Lab   
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Michael Baer, Johannes Greil / 2024