Critical Pre-Authentication Vulnerability in Palo Alto GlobalProtect SSL VPN (July 2019)

A critical remote code execution vulnerability was disclosed on July 17 that applies to older versions of Palo Alto firmware with GlobalProtect Portal or GlobalProtect Gateway Interface enabled.

The vulnerability applies to PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11 and earlier, and PAN-OS 8.1.2 and earlier. It does not impact PAN-OS 9.0.

Devices matching these parameters may allow an unauthenticated remote attacker to execute arbitrary code on the device. Proof-of-concept code for this vulnerability has already been released for this vulnerability so we expect to see public exploitation of live systems in the near future.

This could allow an attacker to take control of the device, and use this foothold to gain access to the internal network.

If you are unable to upgrade to a patched version of the firmware, Palo Alto have provided mitigations to prevent the vulnerability. Please contact Secure-ISS if you require assistance in identifying or remediating this vulnerability.

Further reading:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1579
https://securityadvisories.paloaltonetworks.com/Home/Detail/158