CVE-2022-0019: 
Palo Alto Networks GlobalProtect Agent vulnerability analysis and mitigation

An insufficiently protected credentials vulnerability was discovered in the Palo Alto Networks GlobalProtect app on Linux, identified as CVE-2022-0019. The vulnerability was discovered by Josh Wisely and Praveen Bomma of Splunk and disclosed on February 9, 2022. This security flaw affects GlobalProtect app versions 5.1 (earlier than 5.1.10), 5.2 (up to and including 5.2.7), and 5.3 (earlier than 5.3.2) specifically on Linux platforms (Palo Alto).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.7 (Medium severity) with the following metrics: Attack Vector: Local, Attack Complexity: High, Privileges Required: Low, User Interaction: None, Scope: Unchanged, Confidentiality Impact: High, Integrity Impact: None, Availability Impact: None. The vulnerability is classified as CWE-522 (Insufficiently Protected Credentials) and only affects users who have saved their credentials for authentication to a GlobalProtect portal (Palo Alto).

The vulnerability exposes hashed credentials of GlobalProtect users who saved their passwords during previous sessions to other local users on the system. This exposure enables local attackers to authenticate to the GlobalProtect portal or gateway as the target user without knowing the target user's plaintext password (Palo Alto).

The vulnerability has been fixed in GlobalProtect app versions 5.1.10 and 5.3.2 on Linux, and all later versions. When the fixed GlobalProtect app is launched, existing exposed credentials files will be automatically secured. As a temporary workaround, users are advised not to save their credentials until upgrading to a fixed version. Additionally, GlobalProtect portal administrators can prevent users from saving credentials by disabling the 'Save User Credentials' option in the portal agent configuration (Palo Alto).