CVE-2024-5918
📋 TL;DR
An improper certificate validation vulnerability in Palo Alto Networks PAN-OS allows an authorized user with a specially crafted client certificate to connect to GlobalProtect portal/gateway as a different legitimate user. This affects systems configured to allow authentication with both user credentials AND client certificates. Only authorized users can exploit this vulnerability.
💻 Affected Systems
- Palo Alto Networks PAN-OS
📦 What is this software?
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
⚠️ Risk & Real-World Impact
Worst Case
An authorized malicious insider could impersonate any legitimate user to access the GlobalProtect VPN, potentially gaining unauthorized access to internal network resources.
Likely Case
Limited privilege escalation where an authorized user gains access to resources of another user with similar privileges.
If Mitigated
No impact if proper authentication controls are in place or if the vulnerable configuration is not used.
🎯 Exploit Status
Requires authorized user access and ability to craft client certificates. Attack is only possible when specific authentication configuration is enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PAN-OS 11.1.3, PAN-OS 11.0.5-h4, PAN-OS 10.2.12-h1, PAN-OS 10.1.14-h4
Vendor Advisory: https://security.paloaltonetworks.com/CVE-2024-5918
Restart Required: Yes
Instructions:
1. Download appropriate PAN-OS hotfix from Palo Alto support portal. 2. Upload to firewall management interface. 3. Install hotfix. 4. Commit configuration changes. 5. Reboot firewall to complete installation.
🔧 Temporary Workarounds
Disable vulnerable authentication mode
allChange GlobalProtect authentication configuration to use either user credentials OR client certificates, not both.
🧯 If You Can't Patch
- Change GlobalProtect portal/gateway authentication to use either user credentials OR client certificates exclusively
- Implement additional authentication factors or network segmentation for GlobalProtect access
🔍 How to Verify
Check if Vulnerable:
Check PAN-OS version via CLI: show system info | match sw-version. Verify if GlobalProtect portal/gateway has 'Allow Authentication with User Credentials OR Client Certificate' enabled.Check Version:
show system info | match sw-versionVerify Fix Applied:
Verify PAN-OS version is patched: show system info | match sw-version. Confirm version matches or exceeds patched versions listed in advisory.📡 Detection & Monitoring
Log Indicators:
- Multiple successful authentication attempts from same client certificate for different usernames
- Authentication logs showing certificate validation anomalies
Network Indicators:
- Unusual VPN connection patterns from authorized users
- Multiple user sessions originating from same client system
SIEM Query:
source="pan_logs" (event_type="authentication" AND (certificate_validation="failed" OR user_change="true"))