CVE-2020-2033: 
Palo Alto Networks GlobalProtect Agent vulnerability analysis and mitigation

A missing certificate validation vulnerability in Palo Alto Networks GlobalProtect app (CVE-2020-2033) can disclose the pre-logon authentication cookie when the pre-logon feature is enabled. The vulnerability was discovered by Tom Wyckhuys and Nabeel Ahmed from NTT Belgium and disclosed on June 10, 2020. This affects GlobalProtect app versions 5.0 (earlier than 5.0.10) and 5.1 (earlier than 5.1.4) when the prelogon feature is enabled (Palo Alto Advisory, NVD).

The vulnerability has a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the following vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. The weakness types associated with this vulnerability are CWE-290 (Authentication Bypass by Spoofing) and CWE-295 (Improper Certificate Validation). The vulnerability requires an attacker to be on the same local area network segment with the ability to manipulate ARP or conduct ARP spoofing attacks (Palo Alto Advisory).

A successful exploit allows an attacker to access the GlobalProtect Server with privileges limited to those configured for the 'pre-login' user. This access is typically more restricted compared to regular user network access. The vulnerability only affects confidentiality, with no impact on integrity or availability (Palo Alto Advisory).

The vulnerability has been fixed in GlobalProtect app versions 5.0.10, 5.1.4, and all later versions. For systems that cannot be immediately updated, the impact can be mitigated by either decreasing the allowed timeout settings for the prelogon feature or completely disabling the feature in the GlobalProtect gateway (Palo Alto Advisory).