CVE-2024-5908: 
Palo Alto Networks GlobalProtect Agent vulnerability analysis and mitigation

A vulnerability in the Palo Alto Networks GlobalProtect app was discovered that results in exposure of encrypted user credentials used for connecting to GlobalProtect in application logs. The vulnerability, identified as CVE-2024-5908, affects GlobalProtect app versions 5.1.x through 6.2.x on Windows and macOS platforms. The issue was discovered by Denis Faiustov and Ruslan Sayfiev of GMO Cybersecurity by IERAE and was publicly disclosed on June 12, 2024 (Palo Advisory).

The vulnerability has been assigned a CVSS v4.0 Base Score of 5.5 (MEDIUM) with the following vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/AU:N/R:U/V:D/RE:M/U:Amber. The issue specifically involves the exposure of encrypted credentials in the PanGPA.log files, which are normally only viewable by local users and included when generating logs for troubleshooting purposes. The vulnerability is classified as CWE-532: Insertion of Sensitive Information into Log File (NVD, Palo Advisory).

The vulnerability exposes encrypted credentials to recipients of the application logs. This includes GlobalProtect username and password when using Radius or Local db authentication, LDAP credentials when LDAP is used for authentication, and Windows credentials when 'User-logon (Always On)' and 'Use Single Sign-on (Windows)' are enabled in the Portal > Agent > App tab settings (Palo Advisory).

The vulnerability has been fixed in GlobalProtect app versions 5.1.12, 6.0.8, 6.1.3, 6.2.3, and all later versions. To protect against the impact of this encrypted password disclosure, administrators should first delete PanGPA.log files from the GlobalProtect installation directory on all endpoints and then force a rotation of user passwords that are used to connect to GlobalProtect (Palo Advisory).