CVE-2024-8687: 
PAN-OS vulnerability analysis and mitigation

An information exposure vulnerability (CVE-2024-8687) exists in Palo Alto Networks PAN-OS software that enables a GlobalProtect end user to learn both the configured GlobalProtect uninstall password and the configured disable or disconnect passcode. The vulnerability was discovered by Claudiu Pancotan and publicly disclosed on September 11, 2024. It affects multiple versions of PAN-OS and GlobalProtect App, including versions prior to PAN-OS 8.1.25, 9.0.17, 9.1.16, 10.0.12, 10.1.9, 10.2.4, and 11.0.1, as well as Prisma Access versions before 10.2.9 (Palo Advisory).

The vulnerability has been assigned a CVSS v4.0 base score of 6.9 (MEDIUM) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:M/U:Amber. It is classified as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere). The vulnerability specifically affects systems where features such as 'Allow User to Disable GlobalProtect App', 'Allow user to disconnect GlobalProtect App', or 'Allow User to Uninstall GlobalProtect App' are enabled with passcode protection (Palo Advisory).

Once the password or passcode is exposed, end users can uninstall, disable, or disconnect GlobalProtect even if the GlobalProtect app configuration would not normally permit them to do so. This could potentially compromise the security posture of affected organizations by allowing unauthorized manipulation of security controls (Palo Advisory).

Organizations can mitigate this vulnerability by either upgrading to fixed versions (PAN-OS 8.1.25, 9.0.17, 9.1.16, 10.0.12, 10.1.9, 10.2.4, 11.0.1 or later) or implementing workarounds. The workarounds include changing the settings to 'Allow with Ticket' for disable and disconnect options, and 'Disallow' for the uninstall option. It's important to note that organizations must upgrade all GlobalProtect app deployments to a fixed version before upgrading PAN-OS software to maintain functionality (Palo Advisory).