Recently, security researchers uncovered a serious vulnerability in Palo Alto Networks PAN-OS, specifically affecting the GlobalProtect client. Tracked as CVE-2024-8687, this flaw lets end users snoop around and uncover the passwords designed to lock down the GlobalProtect VPN. Once these secret codes are known, users can uninstall, disable, or disconnect the VPN—even if admins try to prevent it. In this long read, we’ll break down what this vulnerability is, how it works, show some code snippets, and offer the best references around.
What is Palo Alto Networks GlobalProtect?
GlobalProtect is Palo Alto Networks' VPN solution for remote users. Companies often enforce always-on or “lockdown” VPNs using GlobalProtect, ensuring users can’t simply disconnect, disable, or uninstall the client. Admins set a special uninstall password and disable/disconnect passcodes to stop tampering.
What is CVE-2024-8687?
This vulnerability lets any regular end user, with access to their own device, dig into configuration and learn these protected passwords. This defeats a big security feature, opening the door for bypassing company VPN safety rules.
Vendor Advisory:
Official PAN-OS Security Advisory
How the Vulnerability Happens
When GlobalProtect is installed, some configuration files are stored locally. These files should ideally not share sensitive data, or at least encrypt or obfuscate it. Because of this bug, uninstall passwords and disconnect passcodes can be found in plain text by anyone with basic system access.
On a Windows PC, configs are often here
C:\Program Files\Palo Alto Networks\GlobalProtect\PanGpHipMp.exe.config
C:\Program Files\Palo Alto Networks\GlobalProtect\GlobalProtect.conf
C:\ProgramData\Palo Alto Networks\GlobalProtect\*
The relevant installer or client config file holds the password and passcodes openly. For example
<UninstallPassword>supersecretpassword</UninstallPassword>
<DisablePasscode>letmeoutnow</DisablePasscode>
Or—in recent PAN-OS builds—a newer .conf or .ini format might look like
[General]
UninstallPassword=supersecretpassword
DisablePasscode=letmeoutnow
> Note: Even if these files use base64 encoding, that's trivial for any user to decode.
Exploit Details
Anyone with local access (including standard user privileges) can browse the GlobalProtect install folder or AppData directory and open these configuration files using Notepad or any text editor. There’s no special admin permission required to view the files.
Example (Windows Command Line)
type "C:\Program Files\Palo Alto Networks\GlobalProtect\GlobalProtect.conf" | findstr "Password Passcode"
Or use PowerShell
Get-Content "C:\Program Files\Palo Alto Networks\GlobalProtect\GlobalProtect.conf" | Select-String "Password|Passcode"
Example Output
UninstallPassword=supersecretpassword
DisablePasscode=letmeoutnow
Mitigation & Vendor Fixes
- Update: Palo Alto Networks has released updates to PAN-OS that fix the exposure. Upgrade to the latest GlobalProtect clients and PAN-OS versions (Advisory).
- File Permissions: Temporary workaround—make config files accessible only by administrators (though this isn’t foolproof).
- Monitor Systems: Watch for unauthorized disables/uninstalls and investigate promptly.
References
- PAN-OS Security Advisory for CVE-2024-8687
- GlobalProtect Documentation
- NVD (National Vulnerability Database) Entry
Conclusion
CVE-2024-8687 is a major flaw if your organization depends on GlobalProtect to enforce secure remote access policies. The simple exposure of sensitive access codes in local config files gives end users the keys to defeat enforced VPN. If you use Palo Alto Networks GlobalProtect, make sure to patch right away and review your deployment for exposure.
Stay safe, stay updated!
*This post is exclusive and simplified for easy understanding—please share with your IT and security team ASAP!*
Timeline
Published on: 09/11/2024 17:15:14 UTC
Last modified on: 10/03/2024 00:26:56 UTC