Full Report
Cybersecurity researchers have disclosed a set of flaws impacting Palo Alto Networks and SonicWall virtual private network (VPN) clients that could be potentially exploited to gain remote code execution on Windows and macOS systems. "By targeting the implicit trust VPN clients place in servers, attackers can manipulate client behaviours, execute arbitrary commands, and gain high levels of access
Analysis Summary
# Vulnerability: Critical Flaws in Palo Alto Networks and SonicWall VPN Clients Exploitable via Rogue Servers
## CVE Details
- CVE ID: CVE-2024-5921
- CVSS Score: 5.6 (Medium)
- CWE: Insufficient Certificate Validation (Inferred from description)
- CVE ID: CVE-2024-29014
- CVSS Score: 7.1 (High)
- CWE: Insecure Update Mechanism/Improper Input Validation (Inferred from description)
## Affected Systems
- **Products:**
- Palo Alto Networks GlobalProtect (Windows, macOS, Linux)
- SonicWall SMA100 NetExtender (Windows client)
- **Versions:**
- Palo Alto Networks GlobalProtect: Versions prior to 6.2.6 (for Windows client addressing this specific path).
- SonicWall NetExtender: Versions 10.2.339 and earlier.
- **Configurations:**
- **CVE-2024-5921 (Palo Alto):** Requires the attacker to either have access as a local non-administrative OS user or be on the same subnet as the target AND the attacker must be able to install malicious root certificates on the endpoint to force the client to connect to arbitrary servers and download malicious software.
## Vulnerability Description
The identified issues fundamentally stem from the implicit trust placed by the VPN clients in the servers they connect to. This allows an attacker operating a rogue VPN server to manipulate client behavior.
1. **CVE-2024-5921 (Palo Alto Networks GlobalProtect):** This is an insufficient certificate validation vulnerability. If prerequisites regarding local certificate installation are met, the client connects to arbitrary servers, which can lead to the deployment of malicious software.
2. **CVE-2024-29014 (SonicWall NetExtender):** This vulnerability allows an attacker to execute arbitrary code when the client processes a specific update originating from the End Point Control (EPC) Client update mechanism.
## Exploitation
- **Status:** Proof-of-Concept (PoC) available. The research led to the creation of the "NachoVPN" tool, which simulates rogue VPN servers to exploit these vulnerabilities.
- **Complexity:** Medium (Due to prerequisites for Palo Alto, though the core mechanism is straightforward manipulation).
- **Attack Vector:** Primarily Network/Adjacent (through manipulation of the connection endpoint).
## Impact
The primary result of a successful exploitation is the execution of arbitrary code with elevated privileges, potentially leading to full system compromise.
- **Confidentiality:** High (Arbitrary code execution allows credential theft, including VPN credentials).
- **Integrity:** High (Attacker can execute arbitrary code).
- **Availability:** High (Remote Code Execution can lead to system downtime or further malicious actions).
## Remediation
### Patches
- **CVE-2024-5921 (Palo Alto Networks GlobalProtect):** Patched in version **6.2.6** for Windows (and presumably subsequent versions for other affected platforms, though only Windows version is explicitly noted for the fix).
- **CVE-2024-29014 (SonicWall NetExtender):** Addressed in version **10.2.341**.
### Workarounds
No specific general workarounds are detailed in the summary other than emphasizing that for the Palo Alto issue, specific local prerequisites (like installing malicious root certificates) must be met by the attacker. Limiting network access to trusted VPN servers may serve as a temporary defense against the rogue server simulation.
## Detection
- **Indicators of Compromise:** Look for unexpected network connections or update attempts originating from the GlobalProtect or NetExtender processes that do not match known, trusted VPN servers. Look for systems where unauthorized arbitrary code execution occurred following a VPN connection attempt.
- **Detection methods and tools:** Endpoint Detection and Response (EDR) solutions should monitor for processes associated with GlobalProtect or NetExtender attempting to execute unapproved files or install or utilize untrusted root certificates.
## References
- AmberWolf Research Disclosure: hxxps://blog.amberwolf.com/blog/2024/november/introducing-nachovpn---one-vpn-server-to-pwn-them-all/
- Palo Alto Networks Advisory: hxxps://security.paloaltonetworks.com/CVE-2024-5921
- SonicWall Advisory: hxxps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0011
- PoC Tool (NachoVPN): hxxps://github.com/AmberWolfCyber/NachoVPN