CVE-2022-0016 The Connect Before Logon feature has an improper handling of exceptional conditions vulnerability that enables a local attacker to escalate to SYSTEM or root privileges when authenticating with Connect.

CVE-2018-8489 has been assigned to this issue. It is recommended that customers upgrade to version 5.2.9 as soon as possible. Connect Before Logon is enabled by default on GlobalProtect app 5.2.x, allowing users to log on to Microsoft Active Directory and LDAP directories from the app using their Active Directory/LDAP credentials. However, when Connect Before Logon is enabled, it is possible for a local user to sign into a guest account in the same Active Directory/LDAP directory as well. This could create a situation where a local user could sign into Active Directory/LDAP directories as a guest user and gain SYSTEM or root privileges. This could allow a local attacker to escalate privileges within the network to SYSTEM or root, depending on the Active Directory/LDAP server.

How to Upgrade to Version 5.2.9 of the Connect Before Logon App

The Connect Before Logon app was updated to version 5.2.9 on September 10, 2018. The latest version of the Connect Before Logon app contains a fix for this issue, meaning you do not have to take any action after upgrading to version 5.2.9 in order to resolve the security vulnerability.
The upgrade is available here: https://www.symantec.com/connect-before-logon-app/versions#5-2

Vulnerability Details:

This vulnerability is similar to CVE-2018-8489. Connect Before Logon is enabled by default on GlobalProtect app 5.2.x, which allows users to log on to Microsoft Active Directory and LDAP directories from the app using their Active Directory/LDAP credentials. However, when Connect Before Logon is enabled, it is possible for a local user to sign into a guest account in the same Active Directory/LDAP directory as well. This could create a situation where a local user could sign into Active Directory/LDAP directories as a guest user and gain SYSTEM or root privileges. This could allow a local attacker to escalate privileges within the network to SYSTEM or root, depending on the Active Directory/LDAP server.

References:

- https://support.citrix.com/article/CTX217969
- https://www.us-cert.gov/ncas/alerts/TA18-324A

Solution

If you are running GlobalProtect app 5.2.x, it is recommended that you upgrade to version 5.2.9 as soon as possible. This will address the vulnerability and improve security of your network.

Timeline

Published on: 02/10/2022 18:15:00 UTC
Last modified on: 02/17/2022 13:54:00 UTC

References

• https://security.paloaltonetworks.com/CVE-2022-0016
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0016