53%
16%
60%
When the pre-logon feature is enabled, a missing certification validation in Palo Alto Networks GlobalProtect app can disclose the pre-logon authentication cookie to a man-in-the-middle attacker on the same local area network segment with the ability to manipulate ARP or to conduct ARP spoofing attacks. This allows the attacker to access the GlobalProtect Server as allowed by configured Security rules for the 'pre-login' user. This access may be limited compared to the network access of regular users. This issue affects: GlobalProtect app 5.0 versions earlier than GlobalProtect app 5.0.10 when the prelogon feature is enabled; GlobalProtect app 5.1 versions earlier than GlobalProtect app 5.1.4 when the prelogon feature is enabled.
CVSS 3.1 Base Score 5.3. CVSS Attack Vector: adjacent_network. CVSS Attack Complexity: high. CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVSS 2.0 Base Score 2.9. CVSS Attack Vector: adjacent_network. CVSS Attack Complexity: medium. CVSS Vector: (AV:A/AC:M/Au:N/C:P/I:N/A:N).
This code checks the certificate of a connected peer.
foo=SSL_get_verify_result(ssl);
// certificate looks good, host can be trustedIn this case, because the certificate is self-signed, there was no external authority that could prove the identity of the host. The program could be communicating with a different system that is spoofing the host, e.g. by poisoning the DNS cache or using a MITM attack to modify the traffic from server to client.
The following OpenSSL code obtains a certificate and verifies it.
}
// do secret thingsEven though the "verify" step returns X509_V_OK, this step does not include checking the Common Name against the name of the host. That is, there is no guarantee that the certificate is for the desired host. The SSL connection could have been established with a malicious host that provided a valid certificate.
The following OpenSSL code ensures that there is a certificate and allows the use of expired certificates.
//do stuffIf the call to SSL_get_verify_result() returns X509_V_ERR_CERT_HAS_EXPIRED, this means that the certificate has expired. As time goes on, there is an increasing chance for attackers to compromise the certificate.
The following OpenSSL code ensures that there is a certificate before continuing execution.
// got a certificate, do secret thingsBecause this code does not use SSL_get_verify_results() to check the certificate, it could accept certificates that have been revoked (X509_V_ERR_CERT_REVOKED). The software could be communicating with a malicious host.
The following OpenSSL code ensures that the host has a certificate.
}
// got certificate, host can be trusted//foo=SSL_get_verify_result(ssl);//if (X509_V_OK==foo) ...Note that the code does not call SSL_get_verify_result(ssl), which effectively disables the validation step that checks the certificate.
The following code authenticates users.
}authenticated = true;The authentication mechanism implemented relies on an IP address for source validation. If an attacker is able to spoof the IP, they may be able to bypass the authentication mechanism.
Both of these examples check if a request is from a trusted address before responding to the request.
}}n = recvfrom(sd, msg, MAX_MSG, 0, (struct sockaddr *) & cli, &clilen);
}
}DatagramPacket sp =new DatagramPacket(out,out.length, IPAddress, port); outSock.send(sp);The code only verifies the address as stored in the request packet. An attacker can spoof this address, thus impersonating a trusted client
The following code samples use a DNS lookup in order to decide whether or not an inbound request is from a trusted host. If an attacker can poison the DNS cache, they can gain trusted status.
}trusted = true;trusted = false;
}trusted = true;
}trusted = true;IP addresses are more reliable than DNS names, but they can also be spoofed. Attackers can easily forge the source IP address of the packets they send, but response packets will return to the forged IP address. To see the response packets, the attacker has to sniff the traffic between the victim machine and the forged IP address. In order to accomplish the required sniffing, attackers typically attempt to locate themselves on the same subnet as the victim machine. Attackers may be able to circumvent this requirement by using source routing, but source routing is disabled across much of the Internet today. In summary, IP address verification can be a useful part of an authentication scheme, but it should not be the single factor required for authentication.
ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.
If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.