A critical vulnerability has been found in Palo Alto GlobalProtect SSL VPN software used by enterprise companies across the globe, including ride-hailing platform Uber.
The bug, however, is somewhat unusual as it has been fixed in recent releases of the solution, used to create secure channels and Virtual Private Network (VPN) tunnels for remote workers -- but was quietly existing in older versions.
If exploited, unauthenticated attackers are able to remotely execute arbitrary code.
Tenable researchers describe the bug as a format string vulnerability in the PAN SSL Gateway, which handles client/server SSL handshakes. The problem lies in how the gateway handles particular value parameters without proper sanitization, and an attacker sending a crafted request to a vulnerable SSL VPN target is enough to trigger an exploit.
The vulnerability in old versions of the software was first uncovered by Devcore researchers Orange Tsai and Meh Chang in a blog post last week.
The duo said the bug was discovered by accident during a Red Team assessment, and a further investigation found that there was no assigned CVE. The "silent fix" RCE was not replicable on the latest version of GlobalProtect, despite success with older variants.
"We do not CVE items found internally and fixed. This issue was previously fixed, but if you find something in a current version, please let us know," Palo Alto told the team when notified of their findings.
Tsai and Chang then chose to explore further and uncovered 22 Uber-owned servers using a vulnerable version of GlobalProtect.
Once the ride-sharing service was made aware of its vulnerable systems, the company quickly tackled the issue.
However, Uber said the Palo Alto SSL VPN was not the primary VPN in use by the majority of staff members, and the software was hosted in AWS rather than embedded within core infrastructure and so the potential impacted was deemed "low."
TechRepublic: 4 ways to avoid malware on Android
The findings, however, did prompt Palo Alto to publish an advisory and the vulnerability's CVE was then assigned. A partial proof-of-concept (PoC) has also been released.
Versions PAN-OS 7.1.18, PAN-OS 8.0.11, and PAN-OS 8.1.2 and earlier are impacted. However, PAN-OS build 9.0 is not susceptible to attack.
It is recommended that users update to a recent version as quickly as possible, including PAN-OS 7.1.19, PAN-OS 8.0.12, PAN-OS 8.1.3, and later. Uber's potential exposure may have been low as the elderly software was hosted in AWS, but that does not mean other enterprise companies may not be vulnerable.
Update 17.41 BST: Uber declined to comment.
Previous and related coverage
- Google wraps up lawsuits over age discrimination, Wi-Fi snooping, child data sharing
- Equifax, regulators sign $700m deal to settle data breach lawsuits
- Google cleans out stalker, spyware apps from Play Store
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0