[SingCERT] Critical RCE Vulnerability (CVE-2019-1579) in Palo Alto Gateway

Published on Tuesday, 23 July 2019 18:05

Background

 

A critical remote code execution vulnerability (CVE-2019-1579) was found in Palo Alto GlobalProtect Portal and GlobalProtect Gateway interface products. CVE-2019-1579 is a pre-authentication format string vulnerability where it could be exploited by sending a specially crafted request to the vulnerable Secure Sockets Layer (SSL) Virtual Private Network (VPN) Gateway.

There have been reports of threat actors targeting organisations around the world by using this vulnerability.

Affected Versions


  • PAN-OS 7.1.18 and earlier
  • PAN-OS 8.0.11 and earlier
  • PAN-OS 8.1.2 and earlier

 

PAN-OS 9.0 and those that have GlobalProtect disabled, are not affected.

 

Impact

 

Successful exploitation of the vulnerability could allow an unauthenticated attacker to infiltrate the network and execute arbitrary code.

 

Recommendations

 

System administrators are advised to update their software to content release version 8173 or later immediately.

 

If it is not feasible to update the software immediately due to compliance issues, threat prevention should be enabled and enforced on traffic that passes through the GlobalProtect portal and GlobalProtect Gateway interface.

 

References

 

https://securityadvisories.paloaltonetworks.com/Home/Detail/158


http://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html


https://threatpost.com/critical-rce-flaw-palo-alto-gateways-uber/146606