where the local user accounts are shared across different applications, such as email. Remote attackers can use this information exposure vulnerability to impersonate the local user account on the system to potentially access mission-critical applications and data. To potentially exploit this information exposure vulnerability, an attacker would first need to convince a local user to install the Palo Alto Networks GlobalProtect app on their system. Once the attacker has control of the system, they would need to convince the local user to enable the Single Sign-On feature in the GlobalProtect portal. Afterwards, the attacker would use a phishing email or malicious link to direct the local user to enable the Single Sign-On feature in the GlobalProtect portal. Afterwards, the attacker would use the phishing email or malicious link to direct the local user to visit a website or open a file that directs the user to install the Palo Alto Networks GlobalProtect app. When the local user clicks on the installation or update prompt in the app, the attacker impersonates the local user account and can access the system.
Vulnerability details
Impersonation vulnerability allows attackers to access the system as the local user account.
Vulnerability overview
The vulnerability exists because the Palo Alto Networks GlobalProtect app allows local users to log into the system and use their credentials to access other applications. The attacker would need to convince a local user to install the app and then convince the user to enable a feature in the GlobalProtect portal. This is a phishing attack, where an attacker would have an email or malicious link that directs the local user to enable this feature in the GlobalProtect portal and visit a website or open a file that leads them towards installing the app. When they do this, their account is automatically assigned as a Single Sign-On account for all available applications on the system. If this happens, attackers can now impersonate these accounts by using other malicious websites or files that are linked to these apps.
How to Test for Information Exposure Vulnerability
The information exposure vulnerability can be detected by validating the list of secure applications.
To verify, open the single sign-on portal in GlobalProtect and log in with a local user account that has not been enabled for Single Sign-On. Next, choose the "Change Settings" link in the top left corner of the portal to view a list of all available services. If an application is not listed, it does not require authentication for any user on the system to access it.
Also, use Internet Explorer or Firefox to browse to https://www.google.com/settings/. When prompted for credentials, click "Forgot your password?" or "Sign In." Then enter one of your local user accounts and see if your information is visible on Google's website.
If you want to confirm whether or not your local user account has been affected, download an application from the internet (such as event viewer) and run it locally on your system. If you can access this application without authentication, then your account has likely been compromised by this vulnerability.
Timeline
Published on: 02/10/2022 18:15:00 UTC
Last modified on: 02/17/2022 15:10:00 UTC