Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2024-5921
CVE-2024-5921:
Palo Alto Networks GlobalProtect Agent vulnerability analysis and mitigation
Overview
An insufficient certification validation issue in the Palo Alto Networks GlobalProtect app (CVE-2024-5921) was discovered in November 2024. The vulnerability enables attackers to connect the GlobalProtect app to arbitrary servers, allowing a local non-administrative operating system user or an attacker on the same subnet to install malicious root certificates and subsequently install malicious software on the endpoint. The vulnerability affects multiple versions of GlobalProtect App across Windows, macOS, and Linux platforms (Palo Alto Advisory).
Technical details
The vulnerability has a CVSS Base Score of 5.6 (Medium) with two attack vectors: local user access (CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H) and adjacent network access (CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H). The issue stems from improper certificate validation (CWE-295) in the GlobalProtect app, which can be exploited through the app's update mechanism (Palo Alto Advisory).
Impact
The vulnerability allows attackers to capture user login credentials, execute arbitrary code with elevated privileges (SYSTEM on Windows, root on macOS), and install malicious root certificates that could enable further attacks such as code signing forgery or man-in-the-middle attacks (AmberWolf Blog).
Mitigation and workarounds
The issue is fixed in GlobalProtect app versions 6.2.1-c31 (Linux), 6.2.6 (Windows), 6.2.6-c857 (macOS), 6.3.2 (Windows and macOS), and all later versions. A workaround involves using GlobalProtect app 6.0 or 5.1 in FIPS-CC mode. The fix requires three steps: ensuring GlobalProtect portals use valid TLS certificate chains, adding these certificates to the operating system's root store, and installing a fixed version of GlobalProtect with strict X.509v3 verification checks enabled (Palo Alto Advisory).
Community reactions
The vulnerability has gained significant attention in the cybersecurity community, with researchers from AmberWolf presenting their findings at SANS HackFest Hollywood. The disclosure has led to increased awareness about VPN client security and the importance of proper certificate validation (Hacker News).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management