Exploitable flaws in corporate VPN clients

Vulnerabilities in the update mechanisms of corporate VPN clients from Palo Alto Networks (CVE-2024-5921) and SonicWall (CVE-2024-29014)

Researchers have identified vulnerabilities in the update mechanisms of corporate VPN clients from Palo Alto Networks (CVE-2024-5921) and SonicWall (CVE-2024-29014). These flaws could enable attackers to remotely execute code on users’ devices, posing significant security risks.

Organizations are advised to review and apply security updates or mitigations for these vulnerabilities to prevent potential exploitation.

CVE-2024-5921

It affects various versions of Palo Alto’s GlobalProtect App on Windows, macOS, and Linux due to insufficient certificate validation. This flaw allows attackers to connect the app to unauthorized servers, potentially enabling them to:

• Install malicious root certificates.

• Deploy software signed by these certificates.

AmberWolf researchers Richard Warren and David Cash highlighted additional risks:

• Remote Code Execution (RCE) & Privilege Escalation: The automatic update mechanism, which runs with elevated privileges (SYSTEM on Windows and root on macOS), can be exploited via the PanGPS service to install trusted malicious certificates, leading to RCE and privilege escalation.

• Social Engineering Threats: Attackers can exploit the app’s default ability to accept arbitrary endpoints in its UI, tricking users into connecting to rogue VPN servers. These servers can capture credentials and deploy malicious updates.

Remediation and Mitigation

• Fixed Versions:

  • The issue is resolved in GlobalProtect app 6.2.6 and later versions on Windows.

  • A new configuration parameter, FULLCHAINCERTVERIFY, enforces stricter certificate validation against the trusted certificate store.

• No Fixes Yet for macOS or Linux:Palo Alto’s advisory confirms that updates for these platforms are pending.

• Workarounds:

  • Enable FIPS-CC mode on both the GlobalProtect app and the portal/gateway.

  • Apply host-based firewall rules to block connections to malicious VPN servers.

Organizations using the GlobalProtect app should urgently apply available patches and implement mitigations to reduce the risk of exploitation.

CVE-2024-29014

It impacts SonicWall's NetExtender VPN client for Windows (versions 10.2.339 and earlier). The flaw, stemming from insufficient signature validation, allows attackers to execute code with SYSTEM privileges during an End Point Control (EPC) Client update.

Exploitation Scenarios

• Malicious VPN Servers: Attackers can trick users into connecting to rogue servers and installing fake EPC Client updates.

• Custom URI Handler Exploit: If the SMA Connect Agent is installed, attackers can abuse a custom URI handler to direct the NetExtender client to malicious servers. This can be triggered through:

  • Visiting malicious websites and accepting browser prompts.

  • Opening malicious documents.

Resolution and Mitigation

• Patches: SonicWall has patched the vulnerability in NetExtender Windows 10.2.341 and later versions. Users are strongly urged to upgrade to a secure version.

• Mitigation for Delayed Upgrades:

  • Implement a client firewall to restrict access to trusted VPN endpoints only, reducing the likelihood of users connecting to malicious servers.

Organizations using affected versions should prioritize patching or applying mitigations to safeguard their systems against exploitation.

Reference: