Critical flaw in Palo Alto VPN solution impacts Uber, other enterprises may be at risk

Updated: The critical vulnerability exists in old, vulnerable versions of the software still in use by companies including Uber.

Uber Air flying taxi service to be trialled in Melbourne Telstra, Macquarie, Westfield-operator Scentre Group, and Melbourne Airport to help the Silicon Valley darling launch a third Uber Air pilot city and the first outside of the United States.

A critical vulnerability has been found in Palo Alto GlobalProtect SSL VPN software used by enterprise companies across the globe, including ride-hailing platform Uber. 

The bug, however, is somewhat unusual as it has been fixed in recent releases of the solution, used to create secure channels and Virtual Private Network (VPN) tunnels for remote workers -- but was quietly existing in older versions.

According to Palo Alto's security advisory, the remote code execution flaw, tracked as CVE-2019-1579, is present in GlobalProtect portal and GlobalProtect Gateway products.

If exploited, unauthenticated attackers are able to remotely execute arbitrary code. 

Tenable researchers describe the bug as a format string vulnerability in the PAN SSL Gateway, which handles client/server SSL handshakes. The problem lies in how the gateway handles particular value parameters without proper sanitization, and an attacker sending a crafted request to a vulnerable SSL VPN target is enough to trigger an exploit.  

See also: Your business hit by a data breach? Expect a bill of $3.92 million

The vulnerability in old versions of the software was first uncovered by Devcore researchers Orange Tsai and Meh Chang in a blog post last week. 

The duo said the bug was discovered by accident during a Red Team assessment, and a further investigation found that there was no assigned CVE. The "silent fix" RCE was not replicable on the latest version of GlobalProtect, despite success with older variants. 

"We do not CVE items found internally and fixed. This issue was previously fixed, but if you find something in a current version, please let us know," Palo Alto told the team when notified of their findings. 

CNET: Facial recognition may be banned from public housing thanks to proposed law

Tsai and Chang then chose to explore further and uncovered 22 Uber-owned servers using a vulnerable version of GlobalProtect. 

Once the ride-sharing service was made aware of its vulnerable systems, the company quickly tackled the issue. 

However, Uber said the Palo Alto SSL VPN was not the primary VPN in use by the majority of staff members, and the software was hosted in AWS rather than embedded within core infrastructure and so the potential impacted was deemed "low."

TechRepublic: 4 ways to avoid malware on Android

The findings, however, did prompt Palo Alto to publish an advisory and the vulnerability's CVE was then assigned. A partial proof-of-concept (PoC) has also been released.

Versions PAN-OS 7.1.18, PAN-OS 8.0.11, and PAN-OS 8.1.2 and earlier are impacted. However, PAN-OS build 9.0 is not susceptible to attack. 

It is recommended that users update to a recent version as quickly as possible, including PAN-OS 7.1.19, PAN-OS 8.0.12, PAN-OS 8.1.3, and later. Uber's potential exposure may have been low as the elderly software was hosted in AWS, but that does not mean other enterprise companies may not be vulnerable. 

Update 17.41 BST: Uber declined to comment.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0