Lucene search
K

Palo Alto GlobalProtect Agent Privilege Escalation (CVE-2024-5921)

🗓️ 06 Dec 2024 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 23 Views

Palo Alto GlobalProtect Agent is vulnerable to privilege escalation, allowing attackers to install malicious certificates.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(212127);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/06/30");

  script_cve_id("CVE-2024-5921");
  script_xref(name:"IAVA", value:"2024-A-0771-S");

  script_name(english:"Palo Alto GlobalProtect Agent Privilege Escalation (CVE-2024-5921)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the Palo Alto GlobalProtect Agent installed on the remote host is
affected by a vulnerability as referenced in the CVE-2024-5921 advisory:

  - An insufficient certification validation issue in the Palo Alto Networks GlobalProtect app enables
    attackers to connect the GlobalProtect app to arbitrary servers. This can enable a local non-
    administrative operating system user or an attacker on the same subnet to install malicious root
    certificates on the endpoint and subsequently install malicious software signed by the malicious root
    certificates on that endpoint. GlobalProtect App for Android is under evaluation. Please subscribe to our
    RSS feed https://security.paloaltonetworks.com/rss.xml to be alerted to new updates to this and other
    advisories. (CVE-2024-5921)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://security.paloaltonetworks.com/CVE-2024-5921");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Palo Alto GlobalProtect Agent version 6.2.6 or later on Windows. See vendor advisory for updated
guidance regarding MacOS/Linux.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H");
  script_set_attribute(attribute:"cvss4_supplemental", value:"CVSS:4.0/AU:N/R:U/V:D/RE:M/U:Amber");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:P");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-5921");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/11/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/11/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/12/06");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:paloaltonetworks:globalprotect");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2024-2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("palo_alto_globalprotect_agent_win_installed.nbin", "palo_alto_globalprotect_agent_mac_installed.nbin");
  script_require_ports("installed_sw/Palo Alto GlobalProtect Agent", "installed_sw/GlobalProtect");

  exit(0);
}

include('vcf.inc');
include('vcf_extras.inc');

var app_info, constraints;

vcf::palo_alto::initialize();

if (!empty_or_null(get_kb_item('SMB/Registry/Enumerated')))
{
  app_info = vcf::get_app_info(app:'Palo Alto GlobalProtect Agent');
  constraints = [
    # can't check FIPS-CC mode for 5.1/6.0
    {'min_version': '5.1', 'fixed_version': '5.2', 'fixed_display': 'See vendor advisory', 'require_paranoia': TRUE},
    {'min_version': '6.0', 'max_version': '6.0.9999', 'fixed_display': 'See vendor advisory', 'require_paranoia': TRUE},
    # additional certificate-related steps required on top of the update
    {'min_version': '6.1', 'fixed_version': '6.2.6',
      'fixed_display': 'Update to 6.2.6 and see vendor advisory for additional steps'},
    {'min_version': '6.3', 'fixed_version': '6.3.2', 'fixed_display': 'Update to 6.3.2 and see vendor advisory for additional steps'}
  ];
}
else if (!empty_or_null(get_kb_item('Host/MacOSX/Version')))
{
  app_info = vcf::get_app_info(app:'GlobalProtect');
  constraints = [
    # can't check FIPS-CC mode for 5.1/6.0
    {'min_version': '5.1', 'fixed_version': '5.2', 'fixed_display': 'See vendor advisory', 'require_paranoia': TRUE},
    {'min_version': '6.0', 'max_version': '6.0.9999', 'fixed_display': 'See vendor advisory', 'require_paranoia': TRUE},
    {'min_version': '6.1', 'fixed_version': '6.2.6-857', 'fixed_display': 'Update to 6.2.6-c857 and see vendor advisory for additional steps'},
    {'min_version': '6.3', 'fixed_version': '6.3.2', 'fixed_display': 'Update to 6.3.2 and see vendor advisory for additional steps'}
  ];
}
else
  audit(AUDIT_HOST_NOT, 'affected');

vcf::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  severity:SECURITY_HOLE
);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

30 Jun 2025 00:00Current
8.9High risk
Vulners AI Score8.9
CVSS 3.18.8
CVSS 47.1
EPSS0.01454
SSVC
23