CVE-2024-8691
📋 TL;DR
This vulnerability allows an authenticated GlobalProtect user to impersonate another GlobalProtect user, disconnecting the legitimate user while hiding the attacker's identity in logs. It affects Palo Alto Networks PAN-OS software with GlobalProtect portal enabled. Attackers must have valid GlobalProtect credentials to exploit this.
💻 Affected Systems
- Palo Alto Networks PAN-OS
📦 What is this software?
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
⚠️ Risk & Real-World Impact
Worst Case
An attacker could impersonate administrators or privileged users, potentially gaining unauthorized access to sensitive network resources while evading detection through log manipulation.
Likely Case
Attackers impersonate regular users to access resources they shouldn't have permission for, while disrupting legitimate user VPN connections.
If Mitigated
With proper monitoring and least privilege access controls, impact is limited to temporary connection disruption for targeted users.
🎯 Exploit Status
Requires authenticated GlobalProtect user access. The vulnerability is in the authentication mechanism allowing user impersonation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PAN-OS 11.1.3, PAN-OS 11.0.5-h4, PAN-OS 10.2.12-h2
Vendor Advisory: https://security.paloaltonetworks.com/CVE-2024-8691
Restart Required: Yes
Instructions:
1. Download the appropriate PAN-OS update from the Palo Alto Networks support portal. 2. Upload the software image to your firewall. 3. Install the update following Palo Alto's upgrade procedures. 4. Reboot the firewall to complete the installation.
🔧 Temporary Workarounds
Disable GlobalProtect Portal
allTemporarily disable the GlobalProtect portal if not required, which will prevent exploitation but also disable legitimate VPN access.
🧯 If You Can't Patch
- Implement strict access controls and monitoring for GlobalProtect user activity
- Enable multi-factor authentication for GlobalProtect users to reduce impact of credential compromise
🔍 How to Verify
Check if Vulnerable:
Check PAN-OS version via web interface or CLI: show system info. If version is earlier than 11.1.3, 11.0.5-h4, or 10.2.12-h2 and GlobalProtect portal is enabled, system is vulnerable.Check Version:
show system info | match versionVerify Fix Applied:
After patching, verify PAN-OS version shows 11.1.3, 11.0.5-h4, or 10.2.12-h2 or later via show system info command.📡 Detection & Monitoring
Log Indicators:
- Multiple authentication events for same user from different IPs in quick succession
- Users reporting unexpected VPN disconnections
- Authentication logs showing user activity inconsistent with normal patterns
Network Indicators:
- Unusual VPN connection patterns
- Multiple connection attempts from same source to different user accounts
SIEM Query:
source="pan_logs" AND (event_type="authentication" OR event_type="vpn") | stats count by user, src_ip | where count > threshold