CVE-2022-0016: 
Palo Alto Networks GlobalProtect Agent vulnerability analysis and mitigation

An improper handling of exceptional conditions vulnerability (CVE-2022-0016) exists within the Connect Before Logon feature of the Palo Alto Networks GlobalProtect app. The vulnerability was disclosed on February 9, 2022, affecting GlobalProtect app 5.2 versions earlier than 5.2.9 on Windows and MacOS platforms. The issue specifically occurs when the feature is configured to use SAML authentication (Palo Alto).

The vulnerability has been assigned a CVSSv3.1 Base Score of 7.4 (HIGH) with the following metrics: Attack Vector: LOCAL, Attack Complexity: HIGH, Privileges Required: NONE, User Interaction: NONE, Scope: UNCHANGED, Confidentiality Impact: HIGH, Integrity Impact: HIGH, Availability Impact: HIGH. The weakness type is classified as CWE-703 (Improper Check or Handling of Exceptional Conditions) (Palo Alto).

When exploited, this vulnerability enables a local attacker to escalate to SYSTEM or root privileges when authenticating with Connect Before Logon under specific circumstances. The impact is limited to systems where SAML authentication is configured in the GlobalProtect Connect Before Logon feature (Palo Alto).

The vulnerability has been fixed in GlobalProtect app 5.2.9 on Windows and MacOS, and all later GlobalProtect app versions. As a workaround, organizations can use non-SAML authentication methods in the GlobalProtect Connect Before Logon feature to remove the impact of this issue (Palo Alto).

The vulnerability was independently discovered and reported by security researchers Adam Crosser and Brian Sizemore from Praetorian, as well as N. Sao from Genetec (Palo Alto).