CVE-2022-0018 An information exposure vulnerability exists in the Palo Alto Networks GlobalProtect app which sends the credentials of the local user account to the GlobalProtect portal when the Single Sign-On feature is enabled.

CVE-2022-0018 An information exposure vulnerability exists in the Palo Alto Networks GlobalProtect app which sends the credentials of the local user account to the GlobalProtect portal when the Single Sign-On feature is enabled.

where the local user accounts are shared across different applications, such as email. Remote attackers can use this information exposure vulnerability to impersonate the local user account on the system to potentially access mission-critical applications and data. To potentially exploit this information exposure vulnerability, an attacker would first need to convince a local user to install the Palo Alto Networks GlobalProtect app on their system. Once the attacker has control of the system, they would need to convince the local user to enable the Single Sign-On feature in the GlobalProtect portal. Afterwards, the attacker would use a phishing email or malicious link to direct the local user to enable the Single Sign-On feature in the GlobalProtect portal. Afterwards, the attacker would use the phishing email or malicious link to direct the local user to visit a website or open a file that directs the user to install the Palo Alto Networks GlobalProtect app. When the local user clicks on the installation or update prompt in the app, the attacker impersonates the local user account and can access the system.

Vulnerability details

Impersonation vulnerability allows attackers to access the system as the local user account.

Vulnerability overview

The vulnerability exists because the Palo Alto Networks GlobalProtect app allows local users to log into the system and use their credentials to access other applications. The attacker would need to convince a local user to install the app and then convince the user to enable a feature in the GlobalProtect portal. This is a phishing attack, where an attacker would have an email or malicious link that directs the local user to enable this feature in the GlobalProtect portal and visit a website or open a file that leads them towards installing the app. When they do this, their account is automatically assigned as a Single Sign-On account for all available applications on the system. If this happens, attackers can now impersonate these accounts by using other malicious websites or files that are linked to these apps.

How to Test for Information Exposure Vulnerability

The information exposure vulnerability can be detected by validating the list of secure applications.
To verify, open the single sign-on portal in GlobalProtect and log in with a local user account that has not been enabled for Single Sign-On. Next, choose the "Change Settings" link in the top left corner of the portal to view a list of all available services. If an application is not listed, it does not require authentication for any user on the system to access it.
Also, use Internet Explorer or Firefox to browse to https://www.google.com/settings/. When prompted for credentials, click "Forgot your password?" or "Sign In." Then enter one of your local user accounts and see if your information is visible on Google's website.
If you want to confirm whether or not your local user account has been affected, download an application from the internet (such as event viewer) and run it locally on your system. If you can access this application without authentication, then your account has likely been compromised by this vulnerability.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe