CVE-2020-1988: 
Palo Alto Networks GlobalProtect Agent vulnerability analysis and mitigation

An unquoted search path vulnerability (CVE-2020-1988) was discovered in the Windows release of GlobalProtect App. The vulnerability was disclosed on April 8, 2020, affecting Palo Alto Networks GlobalProtect App versions 5.0 before 5.0.5 and 4.1 before 4.1.13 on Windows systems (Vendor Advisory).

The vulnerability is classified as an unquoted search path vulnerability (CWE-428). It received a CVSS v3.1 Base Score of 4.2 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L according to Palo Alto Networks, while the NVD assessment rated it at 6.7 (MEDIUM) with vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (Vendor Advisory, NVD).

The vulnerability allows an authenticated local user with file creation privileges on the root of the OS disk (C:) or Program Files directory to gain system privileges (Vendor Advisory).

The vulnerability has been fixed in GlobalProtect App versions 5.0.5 and 4.1.13 and all later versions. As a workaround, administrators can restrict file creation privileges on the root of the OS disk (C:) or Program Files directory for unprivileged users (Vendor Advisory).

Palo Alto Networks acknowledged Ratnesh Pandey of Bromium and Matthew Batten for discovering and reporting this issue (Vendor Advisory).