Multiple vulnerabilities in GlobalProtect Agent
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2022-0021 CVE-2022-0018 CVE-2022-0017 CVE-2022-0016 |
| CWE-ID | CWE-532 CWE-200 CWE-59 CWE-703 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
GlobalProtect Agent Client/Desktop applications / Antivirus software/Personal firewalls |
| Vendor | Palo Alto Networks, Inc. |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Inclusion of Sensitive Information in Log Files
EUVDB-ID: #VU60487
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2022-0021
CWE-ID:
CWE-532 - Information Exposure Through Log Files
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to software stores cleartext credentials of the connecting GlobalProtect user when authenticating using Connect Before Logon feature. A local user can read the log files and gain access to sensitive data.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGlobalProtect Agent: 5.2.0 - 5.2.8
CPE2.3 External linkshttp://security.paloaltonetworks.com/CVE-2022-0021
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
2) Information disclosure
EUVDB-ID: #VU60485
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2022-0018
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to credentials of the local user account are sent to the GlobalProtect portal when the Single Sign-On feature is enabled in the GlobalProtect portal configuration. A remote attacker can perform MitM attack and intercept credentials.
This vulnerability is a concern where the GlobalProtect app is deployed on Bring-your-Own-Device (BYOD) type of clients with private local user accounts or GlobalProtect app is used to connect to different organizations.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGlobalProtect Agent: 5.1.0 - 5.2.8
CPE2.3 External linkshttp://security.paloaltonetworks.com/CVE-2022-0018
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
3) Link following
EUVDB-ID: #VU60484
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2022-0017
CWE-ID:
CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insecure link following issue. A local user can create a specially crafted symbolic link to a critical file on the system and overwrite it with SYSTEM privileges.
Install updates from vendor's website.
Vulnerable software versionsGlobalProtect Agent: 5.1.0 - 5.2.4
CPE2.3 External linkshttp://security.paloaltonetworks.com/CVE-2022-0017
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
4) Improper Check or Handling of Exceptional Conditions
EUVDB-ID: #VU60483
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2022-0016
CWE-ID:
CWE-703 - Improper Check or Handling of Exceptional Conditions
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper handling of exceptional conditions within the Connect Before Logon feature. A local user can under certain circumstances execute arbitrary code with SYSTEM privileges when authenticating with Connect Before Logon.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGlobalProtect Agent: 5.2.0 - 5.2.8
CPE2.3 External linkshttp://security.paloaltonetworks.com/CVE-2022-0016
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
