Security experts have recently uncovered several vulnerabilities in Palo Alto Networks and SonicWall VPN clients. These flaws can be potentially exploited to execute remote code on Windows and macOS systems.
According to Evolve Security's Offensive Security Operations Center (OSOC), "Exploiting the trust that VPN clients place in servers, bad actors can alter client actions, run arbitrary commands, and gain substantial access with little effort."
In a possible attack scenario, a rogue VPN server could mislead clients into downloading harmful updates that lead to undesirable results. The outcome of this investigation is a proof-of-concept tool named NachoVPN, designed to mimic such VPN servers and exploit these vulnerabilities to gain privileged code execution.
• CVE-2024-5921:L CVSS score: 5.6 - This vulnerability in Palo Alto Networks GlobalProtect involves inadequate certificate validation affecting Windows, macOS, and Linux platforms, allowing connections to unauthorized servers. This may lead to the installation of malicious software. (Fixed in version 6.2.6 for Windows)
• CVE-2024-29014: CVSS score: 7.1 - Found in SonicWall SMA100 NetExtender Windows client, this flaw enables code execution during the processing of an End Point Control (EPC) Client update. It affects versions 10.2.339 and earlier, with a resolution available in version 10.2.341. Palo Alto Networks notes that an attacker would need local non-administrative access or be on the same subnet to install harmful root certificates and software signed by these certificates on the endpoint.
The GlobalProtect app can be manipulated to steal VPN credentials, perform arbitrary code execution with elevated privileges, and install harmful root certificates that could facilitate additional attacks.
Likewise, an adversary might deceive a user into connecting their NetExtender client to a rogue VPN server to send a fake EPC Client update signed with a stolen yet valid certificate, ultimately allowing execution of SYSTEM-level code.
For mitigation, customers are encouraged to follow the guidance from the application vendors:
There's no current evidence of these vulnerabilities being exploited in real-world scenarios, yet users of Palo Alto Networks GlobalProtect and SonicWall NetExtender should update to the latest versions to protect against potential risks.
Evolve Security has inspected client vulnerability data, finding no reports of these vulnerabilities. Still, companies should verify which versions are vulnerable and act on recommended fixes. It’s crucial to ensure testing covers all assets, not just those typically included in regular assessments.
Https://security.paloaltonetworks.com/CVE-2024-5921
Https://nvd.nist.gov/vuln/detail/CVE-2024-5921
Https://vulners.com/cve/CVE-2024-5921
Https://nvd.nist.gov/vuln/detail/CVE-2024-29014
Https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-29014
Unlock your organization's full security potential and uncover even more vulnerabilities than before by choosing our advanced penetration testing services.
.jpg)
.jpg)
